To secure the microservices in your application inside a global namespace, you can create the API Security policies through the Tanzu Service Mesh Console UI.

API Security policies allow admin to block or allow layer 4 and layer 7 traffic. Additionally, administrators can create granular policies that provide API and data segmentation, OWASP 10 attack defense, schema validation, geofencing, data compliance, and egress controls.

Prerequisites

Procedure

  1. In the navigation panel on the left, select New Workflow > New Policy > API Security Policy.

    Alternatively, you can create the API Security policy by navigating to the panel on the left and selecting Configuration > API Security Policy . In the upper-right corner of the API Security Policy page, click New Policy.

  2. In the New API Security Policy window, select a global namespace from the GNS Scope drop –down menu.
  3. Select a service from the Service drop –down menu.
  4. In Default Security Rules:
    1. Select either Allow or Denyrequests in Access Control. Rate Limit allows you to specify the number of requests per minute (RPM).
    2. In PII Data Security, you can either allow or deny PII data , rate limit the number of PII data per minute, or configure rules for PII data types.

      Configure Rules for PII Data Types:

      • Choose the PII Data Type and Action (allow/deny) from the drop-down. If PII data is denied, you can also add a response code.



      • Click Add PII Data Security Rule to configure more rules.

    3. In Attack Defense, you can either allow or deny an attack type , rate limit the number of atatcks per minute, or configure rules for attack types.

      You can either allow or deny an attack type in Attack Defense, rate limit the number of atatcks per minute, or configure rules for attack types.

      Configure Rules for Attack Types:

      • Choose the Attack Type and Action (allow/deny) from the drop-down. If an atatck type is denied, you can also add a response code.

      • Click Add Attack Type Security Rule to configure more rules

    4. In Schema Validation, you can either allow or deny requests , rate limit the number of atatcks per minute, or configure rules for schema validation in Advanced Settings.

      Adavanced Settings:

      • Choose the Schema Violation Type and Action (allow/deny) from the drop-down. If a schema violation is denied, you can also add a response code.

      • Click Add Security Rule to configure more rules.



  5. (Optional) It is possible to add APIs manually or import specific APIs for the API security rules that you have created.


  6. Click Save.

Results

The new API security policy appears on the API Security Policies page.



What to do next

To edit an existing API Security policy, perform these steps.

  1. On the API Security Policies page, click the vertical three dots to the right of the autoscaling policy.

  2. On the menu, click Edit Configuration.

  3. To advance through the configuration pages after making changes, click Next.

To delete an API Security policy that you no longer need, perform these steps.

  1. Click the vertical three dots to the right of the API Security policy.

  2. On the menu, click Delete.

To see API Security policies at work in the Tanzu Service Mesh Console UI, perform these steps:

  1. In the navigation panel on the left, click Home.

  2. On the Home page, click the GNS Overview tab.

  3. Click the global namespace that contains the services being autoscaled.

  4. Click the Policies tab and select Attack Detection or Schema Validation to view the list of API Security policies created.