Manage traffic filtering through the API
This example demonstrates how to use the Elastic Cloud RESTful API to manage different types of traffic filters. We cover the following examples:
Read through the main Traffic Filtering page to learn about the general concepts behind filtering access to your Elastic Cloud Hosted deployments.
Send a request like the following to create an IP traffic filter ingress rule set:
curl \
-H "Authorization: ApiKey $API_KEY" \
-H 'content-type: application/json' \
https://api.elastic-cloud.com/api/v1/deployments/traffic-filter/rulesets \
-d '
{
"name": "My IP filtering Ingress Rule Set",
"region": "azure-japaneast",
"description": "",
"type": "ip",
"rules": [
{
"description": "Allow inbound traffic from IP address 192.168.131.0",
"source": "192.168.131.0"
},
{
"description": "Allow inbound traffic within CIDR block 192.168.132.6/22",
"source": "192.168.132.6/22"
}
],
"include_by_default": false
}
'
region- The region is always the same region as the deployment you want to associate with a traffic filter rule set. For details, check the list of available regions.
type- The type of the rule set. In the JSON object, we use
ipfor the ingress IP traffic filter. Currently, we supportip,egress_firewall,vpce(AWS Private Link),azure_private_endpointandgcp_private_service_connect_endpoint. These are described in further detail below.
If the request is successful, a response containing a $RULESET_ID is returned. $RULESET_ID is required to update or delete the rule set itself, or it can be used to associate the rule set to a deployment.
{
"id" : "5470a0010ebf437bb9294ea9fcba0ba0"
}
Send a request like the following to create an IP traffic filter egress rule set:
curl \
-H "Authorization: ApiKey $API_KEY" \
-H 'content-type: application/json' \
https://$COORDINATOR_HOST:12443/api/v1/deployments/traffic-filter/rulesets \
-d '
{
"name": "My IP filtering Egress Rule Set",
"region": "azure-japaneast",
"description": "",
"type": "egress_firewall",
"rules": [
{
"description": "Allow outbound traffic to IP address 192.168.131.0",
"egress_rule":
{
"target": "192.168.131.0",
"protocol": "all"
}
},
{
"description": "Allow outbound traffic to CIDR block 192.168.132.6/22",
"egress_rule":
{
"target": "192.168.132.6/22",
"protocol": "all"
}
},
],
"include_by_default": false
}
'
protocol- This can be
udp,tcp, orall.
Send a request like the following to create an AWS PrivateLink traffic filter rule set:
curl -XPOST \
-H "Authorization: ApiKey $API_KEY" \
-H 'content-type: application/json' \
https://api.elastic-cloud.com/api/v1/deployments/traffic-filter/rulesets \
-d '
{
"name": "AWS Private Link Traffic Filter",
"region": "ap-northeast-1",
"description": "",
"type": "vpce",
"rules": [
{
"source": "vpce-00000000000"
}
],
"include_by_default": false
}
'
To find the value for source for type vpce, check Find your VPC endpoint ID. This setting is supported only in AWS regions.
Send a request like the following to create an Azure Private Link traffic filter rule set:
curl -XPOST \
-H "Authorization: ApiKey $API_KEY" \
-H 'content-type: application/json' \
https://api.elastic-cloud.com/api/v1/deployments/traffic-filter/rulesets \
-d '
{
"name": "Azure Private Link Traffic Filter",
"region": "azure-japaneast",
"description": "",
"type": "azure_private_endpoint",
"rules": [
{
"azure_endpoint_name": "azure-demo",
"azure_endpoint_guid": "7c0f05e4-e32b-4b10-a246-7b77f7dcc63c"
}
],
"include_by_default": false
}
'
To find the value for azure_endpoint_name and azure_endpoint_guid for type azure_private_endpoint, check Find your private endpoint resource name and Find your private endpoint resource ID. This setting is supported only in Azure regions.
Send a request like the following to create a GCP Private Service Connect traffic filter rule set:
curl -XPOST \
-H "Authorization: ApiKey $API_KEY" \
-H 'content-type: application/json' \
https://api.elastic-cloud.com/api/v1/deployments/traffic-filter/rulesets \
-d '
{
"name": "GCP Private Service Connect Traffic Filter",
"region": "gcp-asia-northeast1",
"description": "",
"type": "gcp_private_service_connect_endpoint",
"rules": [
{
"source": "18446744072646845332"
}
],
"include_by_default": false
}
'
To find the value for source for type gcp_private_service_connect_endpoint, check Find your Private Service Connect connection ID. This setting is supported only in GCP regions.
Send a request like the following to update an IP traffic filter ingress rule set:
curl -XPUT \
-H "Authorization: ApiKey $API_KEY" \
-H 'content-type: application/json' \
https://api.elastic-cloud.com/api/v1/deployments/traffic-filter/rulesets/$RULESET_ID \
-d '
{
"name": "My IP filtering Ingress Rule Set",
"region": "azure-japaneast",
"description": "",
"type": "ip",
"rules": [
{
"description": "Allow inbound traffic from IP address 192.168.131.0",
"source": "192.168.131.0"
},
{
"description": "Allow inbound traffic within CIDR block 192.168.132.6/22",
"source": "192.168.132.6/22"
}
],
"include_by_default": true
}
'
Send a request like the following to associate a rule set with a deployment:
curl -XPOST \
-H "Authorization: ApiKey $API_KEY" \
-H 'content-type: application/json' \
https://api.elastic-cloud.com/api/v1/deployments/traffic-filter/rulesets/$RULESET_ID/associations \
-d '
{
"entity_type" : "deployment",
"id" : "'"$DEPLOYMENT_ID"'"
}
'
Send a request like the following to delete a rule set association with a deployment:
curl -XDELETE \
-H "Authorization: ApiKey $API_KEY" \
-H 'content-type: application/json' \
https://api.elastic-cloud.com/api/v1/deployments/traffic-filter/rulesets/$RULESET_ID/associations/deployment/$DEPLOYMENT_ID \
Send a request like the following to delete a traffic filter rule set:
curl -XDELETE \
-H "Authorization: ApiKey $API_KEY" \
https://api.elastic-cloud.com/api/v1/deployments/traffic-filter/rulesets/$RULESET_ID \