API overview
Create a policy (V2)
POST /api/v2/policies
Content-Type: application/jsonCreate a policy attachment (V1)
POST /api/v1/policy-attachments
Content-Type: application/jsonBasic request structures
CreatePolicyRequest (V2)
{
"name": "Policy name",
"className": "Policy type",
"config": "Policy configuration JSON string",
"description": "Policy description (optional)"
}Field | Type | Required | Description | Constraints |
name | string | Yes | Policy name. | Cannot be empty. |
className | string | Yes | Policy type. | See the list of supported policy types. |
config | string | Yes | The JSON string for the policy configuration. | Provide the JSON configuration that corresponds to the policy type. |
description | string | No | Policy description. | Maximum 200 characters. |
CreatePolicyAttachmentRequest (V1)
{
"attachResourceId": "ResourceID1",
"attachResourceType": "Resource type",
"environmentId": "Environment ID",
"gatewayId": "Gateway ID",
"policyId": "Policy ID"
}Field | Type | Required | Description |
attachResourceId | string | Yes | The list of resource IDs to attach. |
attachResourceType | string | Yes | Resource type: Gateway, Domain, Route, LLMApi, AgentApi, Api, Operation, Service, or ServicePort. |
environmentId | string | Conditional | The environment ID. This parameter is required for Route, Api, Operation, LLMApi, and AgentApi. |
gatewayId | string | Conditional | The gateway ID. This parameter is required for Route, Gateway, Domain, Service, ServicePort, LLMApi, and AgentApi. |
Supported policy types
General throttling policies
RateLimit - Rate limiting
ConcurrencyLimit - Concurrency limiting
CircuitBreaker - Circuit breaking
Timeout - Timeout control
Retry - Retry policy
Routing and forwarding policies
HttpRewrite - HTTP rewrite
HeaderModify - Header modification
Redirect - Redirection
DirectResponse - Direct response
Fallback - Fallback policy
DynamicRoute - Dynamic routing (swimlane)
AI-related policies
AiStatistics - AI statistics
AiSecurityGuard - AI Guardrails
AiFallback - AI fallback
AiTokenRateLimit - AI token rate limiting
AiCache - AI cache
AiNetworkSearch - AI network search
AiToolSelection - AI tool selection
Security and authentication policies
Authentication - Unified authentication
JWTAuth - JWT authentication
OIDCAuth - OIDC authentication
ExternalZAuth - External authentication
Waf - Web Application Firewall
IpAccessControl - IP access control
Cross-domain and replication policies
Cors - Cross-origin resource sharing
FlowCopy - Traffic replication
Service administration policies
ServiceTls - Service TLS
ServiceLb - Service load balancing
ServicePortTls - Service port TLS
General throttling policies
RateLimit - Rate limiting
Scope: Route, Gateway, Domain, Service
Configuration:
{
"threshold": 100,
"behaviorType": 0,
"bodyEncoding": 0,
"responseStatusCode": 429,
"responseContentBody": "{\"error\":\"Too Many Requests\"}",
"responseRedirectUrl": "",
"enable": true
}Field | Type | Required | Description |
threshold | int | Yes | Rate limit threshold (requests per second). |
behaviorType | int | Yes | Behavior type. 0: Return a response. 1: Redirect. |
bodyEncoding | int | Yes | Response body encoding. 0: TEXT. 1: JSON. |
responseStatusCode | int | Yes | Response status code. |
responseContentBody | string | No | Response body content. |
responseRedirectUrl | string | No | Redirection URL. This parameter is used when `behaviorType` is 1. |
enable | bool | Yes | Specifies whether to enable the policy. |
Example call:
curl -X POST http://gateway-api/api/v2/policies \
-H "Content-Type: application/json" \
-d '{
"name": "API Rate Limit Policy",
"className": "RateLimit",
"config": "{\"threshold\":100,\"behaviorType\":0,\"bodyEncoding\":1,\"responseStatusCode\":429,\"responseContentBody\":\"{\\\"error\\\":\\\"Too Many Requests\\\"}\",\"enable\":true}",
"description": "Limits API requests to 100 per second."
}'ConcurrencyLimit - Concurrency limiting
Scope: Route, Gateway, Domain
Configuration:
{
"maxConcurrency": 50,
"behaviorType": 0,
"bodyEncoding": 0,
"responseStatusCode": 503,
"responseContentBody": "{\"error\":\"Service Overloaded\"}",
"responseRedirectUrl": "",
"enable": true
}Field | Type | Required | Description |
maxConcurrency | int | Yes | Maximum concurrency. |
behaviorType | int | Yes | Behavior type. 0: Return a response. 1: Redirect. |
bodyEncoding | int | Yes | Response body encoding. 0: TEXT. 1: JSON. |
responseStatusCode | int | Yes | Response status code when the limit is exceeded. |
responseContentBody | string | No | Response body content when the limit is exceeded. |
responseRedirectUrl | string | No | Redirection URL. This parameter is used when `behaviorType` is 1. |
enable | bool | Yes | Specifies whether to enable the policy. |
CircuitBreaker - Circuit breaking
Scope: Route, Service
Configuration:
{
"strategy": 0,
"minRequestAmount": 10,
"maxAllowedMs": 5000,
"triggerRatio": 50,
"statDurationSec": 30,
"recoveryTimeoutSec": 30,
"responseStatusCode": 503,
"bodyEncoding": 0,
"responseContentBody": "{\"error\":\"Service Unavailable\"}",
"responseRedirectUrl": "",
"behaviorType": 0,
"enable": true
}Field | Type | Required | Description |
strategy | int | Yes | Circuit breaker strategy. 0: Slow calls. 1: Abnormal responses. |
minRequestAmount | int | Yes | Minimum number of requests. |
maxAllowedMs | int | No | Maximum allowed response time in milliseconds. This parameter is required when `strategy` is 0. |
triggerRatio | int | Yes | The ratio (percentage) that triggers the circuit breaker. |
statDurationSec | int | Yes | Statistics collection duration in seconds. |
recoveryTimeoutSec | int | Yes | Circuit breaker recovery time in seconds. |
responseStatusCode | int | Yes | Response status code when the circuit is open. |
bodyEncoding | int | Yes | Response body encoding. 0: TEXT. 1: JSON. |
responseContentBody | string | No | Response body content when the circuit is open. |
responseRedirectUrl | string | No | Redirection URL. This parameter is used when `behaviorType` is 1. |
behaviorType | int | Yes | Behavior type. 0: Return a response. 1: Redirect. |
enable | bool | Yes | Specifies whether to enable the policy. |
Timeout - Timeout control
Scope: Route, Service
Configuration:
{
"unitNum": 30,
"timeUnit": "s",
"enable": true
}Field | Type | Required | Description |
unitNum | float64 | Yes | Timeout duration value. |
timeUnit | string | Yes | Time unit. s: seconds. m: minutes. h: hours. |
enable | bool | Yes | Specifies whether to enable the policy. |
Retry - Retry policy
Scope: Route, Service
Configuration:
{
"attempts": 3,
"retryOn": ["5xx", "reset", "connect-failure"],
"httpCodes": ["502", "503", "504"],
"perTryTimeout": 10,
"enable": true
}Field | Type | Required | Description |
attempts | int | Yes | Maximum number of retries. |
retryOn | []string | Yes | Retry conditions: 5xx, reset, connect-failure, or refused-stream. |
httpCodes | []string | No | The list of HTTP status codes that trigger a retry. |
perTryTimeout | float64 | No | Timeout for each retry in seconds. |
enable | bool | Yes | Specifies whether to enable the policy. |
HttpRewrite - HTTP rewrite
Scope: Route
Configuration:
{
"pathType": "Exact",
"path": "/v2/api",
"pattern": "",
"substitution": "",
"host": "new-backend.example.com",
"enable": true
}Field | Type | Required | Description |
pathType | string | Yes | Path matching type: Exact, Prefix, or Regex. |
path | string | No | The rewritten path. This parameter is used when `pathType` is Exact or Prefix. |
pattern | string | No | The regular expression pattern. This parameter is required when `pathType` is Regex. |
substitution | string | No | The replacement string. This parameter is required when `pathType` is Regex. |
host | string | No | The rewritten Host header. |
enable | bool | Yes | Specifies whether to enable the policy. |
HeaderModify - Header modification
Scope: Route, Gateway, Domain
Configuration:
{
"enable": true,
"headerOpItems": [
{
"directionType": "Request",
"opType": "Add",
"key": "X-Custom-Header",
"value": "custom-value",
"policyValueGenerateMode": "Custom"
},
{
"directionType": "Request",
"opType": "Update",
"key": "Authorization",
"value": "Bearer {{token}}",
"policyValueGenerateMode": "Custom"
},
{
"directionType": "Request",
"opType": "Remove",
"key": "X-Debug-Mode",
"value": "",
"policyValueGenerateMode": "Custom"
}
]
}Field | Type | Required | Description |
enable | bool | Yes | Specifies whether to enable the policy. |
headerOpItems | []object | Yes | The list of header operations. |
├─ directionType | string | Yes | Direction type: Request or Response. |
├─ opType | string | Yes | Operation type: Add, Update, or Remove. |
├─ key | string | Yes | Header key name. |
├─ value | string | No | Header value. This can be empty when `opType` is Remove. |
└─ policyValueGenerateMode | string | Yes | Value generation mode: Custom or Reference. |
Redirect - Redirection
Scope: Route
Configuration:
{
"code": "301",
"host": "new-domain.com",
"path": "/new-path",
"enable": true
}Field | Type | Required | Description |
code | string | Yes | Redirection status code: 301, 302, 303, 307, or 308. |
host | string | No | Destination Host for redirection. |
path | string | No | Destination path for redirection. |
enable | bool | Yes | Specifies whether to enable the policy. |
DirectResponse - Direct response
Scope: Route
Configuration:
{
"code": "200",
"body": "{\"status\":\"ok\",\"message\":\"Service Maintenance\"}",
"enable": true
}Field | Type | Required | Description |
code | string | Yes | Response status code. |
body | string | Yes | Response body content. |
enable | bool | Yes | Specifies whether to enable the policy. |
Fallback - Fallback policy
Scope: Route, Service
Configuration:
{
"enable": true,
"fallBackDestination": [
{
"serviceId": "backup-service-1",
"serviceName": "backup-service-name",
"serviceVersion": "v1",
"port": "8080"
}
]
}Field | Type | Required | Description |
enable | bool | Yes | Specifies whether to enable the policy. |
fallBackDestination | []object | Yes | The list of fallback destinations. |
├─ serviceId | string | Yes | Fallback service ID. |
├─ serviceName | string | No | Fallback service name. |
├─ serviceVersion | string | No | Service version. |
└─ port | string | No | Service port. |
IpAccessControl - IP access control
Scope: Route, Gateway, Domain
Configuration:
{
"name": "IP Whitelist Policy",
"description": "Allow access from specific IPs",
"ipAccessControlResourceName": "api-route-1",
"ipAccessControlResourceType": "Route",
"ipAccessControlType": "White",
"ipAccessControlContent": "192.168.1.0/24,10.0.0.1",
"protocolLayer": "L7",
"enable": true
}Field | Type | Required | Description |
name | string | Yes | Policy name. |
description | string | No | Policy description. |
ipAccessControlResourceName | string | Yes | Resource name. |
ipAccessControlResourceType | string | Yes | Resource type: Route, Gateway, or Domain. |
ipAccessControlType | string | Yes | Control type: White (whitelist) or Black (blacklist). |
ipAccessControlContent | string | Yes | The list of IP addresses. Separate multiple addresses with commas. CIDR notation is supported. |
protocolLayer | string | Yes | Protocol layer: L7 (application layer) or L4 (transport-layer). |
enable | bool | Yes | Specifies whether to enable the policy. |
Cors - Cross-origin resource sharing
Scope: Route, Gateway, Domain
Configuration:
{
"allowOrigins": "https://example.com,https://app.example.com",
"allowMethods": ["GET", "POST", "PUT", "DELETE"],
"allowHeaders": "Content-Type,Authorization",
"exposeHeaders": "X-Custom-Header",
"timeUnit": "s",
"unitNum": 3600,
"allowCredentials": true,
"enable": true
}Field | Type | Required | Description |
allowOrigins | string | Yes | Allowed origins. Separate multiple origins with commas. Use `*` to allow all origins. |
allowMethods | []string | Yes | Allowed HTTP methods. |
allowHeaders | string | Yes | Allowed request headers. Separate multiple headers with commas. |
exposeHeaders | string | No | Exposed response headers. Separate multiple headers with commas. |
timeUnit | string | Yes | Time unit. s: seconds. m: minutes. h: hours. |
unitNum | int | Yes | Cache duration for preflight requests. |
allowCredentials | bool | Yes | Specifies whether to allow credentials. |
enable | bool | Yes | Specifies whether to enable the policy. |
FlowCopy - Traffic replication
Scope: Route
Configuration:
{
"targetServiceId": "test-service-id",
"targetServiceName": "test-service",
"port": "8080",
"percentage": 10,
"enable": true
}Field | Type | Required | Description |
targetServiceId | string | Yes | Target service ID. |
targetServiceName | string | No | Target service name. |
port | string | No | Target service port. |
percentage | int | No | The percentage of traffic to replicate (1-100). Default is 100. |
enable | bool | Yes | Specifies whether to enable the policy. |
DynamicRoute - Dynamic routing (swimlane)
Scope: Gateway
Configuration:
{
"enable": true,
"dynamicRouteSwimmingLaneConfigs": [
{
"swimmingLaneGroupId": 1001,
"swimmingLaneId": 2001,
"canaryModel": 0,
"percentage": 20,
"swimmingLaneTag": "lane-v2",
"predicates": [
{
"type": "Header",
"name": "x-env",
"condition": "==",
"value": "test"
}
],
"matchCondition": "And",
"enable": true
}
]
}Field | Type | Required | Description |
enable | bool | Yes | Specifies whether to enable the policy. |
dynamicRouteSwimmingLaneConfigs | []object | Yes | The list of swimlane configurations. |
├─ swimmingLaneGroupId | int64 | Yes | Swimlane group ID. |
├─ swimmingLaneId | int64 | Yes | Swimlane ID. |
├─ canaryModel | int | Yes | Grayscale mode. 0: By content. 1: By percentage. |
├─ percentage | int | No | Traffic percentage. This parameter is used in percentage mode. |
├─ swimmingLaneTag | string | Yes | Swimlane tag. |
├─ predicates | []object | No | Match criteria for content patterns |
│ ├─ type | string | Yes | Parameter type: Header, Cookie, or Parameter. |
│ ├─ name | string | Yes | Parameter name. |
│ ├─ condition | string | Yes | Condition: ==, !=, Pre, Regex, List, or %. |
│ ├─ value | string | Yes | Match value. |
│ └─ names | []string | No | List of values. This parameter is used when `condition` is List. |
├─ matchCondition | string | Yes | Match relationship: And or Or. |
└─ enable | bool | Yes | Specifies whether to enable this swimlane. |
AI-related policies
AiStatistics - AI statistics
Scope: Route, LLMApi, AgentApi
Configuration:
{
"enable": true,
"aiStatisticsConfig": {
"logRequestContent": true,
"logResponseContent": true
}
}Field | Type | Required | Description |
enable | bool | Yes | Specifies whether to enable the policy. |
aiStatisticsConfig | object | No | AI statistics configuration. |
├─ logRequestContent | bool | No | Specifies whether to log request content. Default is true. |
└─ logResponseContent | bool | No | Specifies whether to log response content. Default is true. |
AiSecurityGuard - AI Guardrails
Scope: Service
Configuration:
{
"enable": true,
"serviceAddress": "http://security-guard-service:8080",
"checkRequest": true,
"checkResponse": true,
"riskAlertLevel": "medium",
"requestCheckService": "Security",
"responseCheckService": "Security",
"bufferLimit": 1000,
"riskConfig": [
{
"type": "Global",
"level": "high"
},
{
"type": "ContentModeration",
"level": "medium"
}
]
}Field | Type | Required | Description |
enable | bool | Yes | Specifies whether to enable the policy. |
serviceAddress | string | Yes | Security service endpoint. |
checkRequest | bool | Yes | Specifies whether to check requests. |
checkResponse | bool | Yes | Specifies whether to check responses. |
riskAlertLevel | string | Yes | Risk level: low, medium, high, or max. |
requestCheckService | string | No | Request check service: LLM or Security. |
responseCheckService | string | No | Response check service: LLM or Security. |
bufferLimit | int | No | Buffer limit. Default is 1000. |
riskConfig | []object | No | The list of risk configurations. |
├─ type | string | Yes | Risk type: Global, ContentModeration, PromptAttack, SensitiveData, MaliciousUrl, or ModelHallucination. |
└─ level | string | Yes | Risk level: low, medium, high, or max. |
AiTokenRateLimit - AI token rate limiting
Scope: Route, LLMApi, AgentApi
Configuration:
{
"enable": true,
"rules": [
{
"limitType": "LimitByConsumer",
"threshold": 10000,
"timeWindow": 60,
"responseStatusCode": 429,
"responseContentBody": "{\"error\":\"Token limit exceeded\"}"
}
],
"enableGlobalRules": true,
"globalRules": [
{
"limitType": "LimitByGlobal",
"threshold": 100000,
"timeWindow": 60
}
],
"redisConfig": {
"serviceHost": "redis-service:6379",
"servicePort": 6379,
"database": 0,
"username": "",
"password": ""
}
}Field | Type | Required | Description |
enable | bool | Yes | Specifies whether to enable the policy. |
rules | []object | No | The list of standard rate limiting rules. |
├─ limitType | string | Yes | Limit type: LimitByConsumer or LimitByModel. |
├─ threshold | int | Yes | Token threshold. |
├─ timeWindow | int | Yes | Time window in seconds. |
├─ responseStatusCode | int | No | Response status code when the limit is exceeded. |
└─ responseContentBody | string | No | Response body content when the limit is exceeded. |
enableGlobalRules | bool | No | Specifies whether to enable global rate limiting rules. |
globalRules | []object | No | The list of global rate limiting rules. |
├─ limitType | string | Yes | Limit type. Must be LimitByGlobal. |
├─ threshold | int | Yes | Token threshold. |
└─ timeWindow | int | Yes | Time window in seconds. |
redisConfig | object | Yes | Redis configuration. |
├─ serviceHost | string | Yes | Redis endpoint. |
├─ servicePort | int | Yes | Redis port. |
├─ database | int | No | Database number. Default is 0. |
├─ username | string | No | Username. |
└─ password | string | No | Password. |
AiCache - AI cache
Scope: Route, LLMApi, AgentApi
Configuration:
{
"enable": true,
"cacheTTL": 3600,
"cacheMode": "exact",
"cacheKeyStrategy": "messages",
"redisConfig": {
"serviceHost": "redis-service:6379",
"servicePort": 6379,
"database": 0
}
}Field | Type | Required | Description |
enable | bool | Yes | Enable |
cacheTTL | int | Yes | Cache time-to-live (TTL) in seconds. |
cacheMode | string | Yes | Cache mode: exact or semantic. |
cacheKeyStrategy | string | No | Cache key strategy. |
redisConfig | object | Yes | Redis configuration. |
├─ serviceHost | string | Yes | Redis endpoint. |
├─ servicePort | int | Yes | Redis port. |
├─ database | int | No | Database number. Default is 0. |
├─ username | string | No | Username. |
└─ password | string | No | Password. |
vectorConfig | object | No | Vector database configuration. This parameter is used in semantic mode. |
├─ type | string | Yes | Vector database type: adb-postgres. |
├─ serviceHost | string | Yes | Vector database endpoint. |
├─ apiKey | string | Yes | API key. |
├─ timeout | int | Yes | Timeout in milliseconds. |
├─ collectionId | string | Yes | Collection ID. |
└─ threshold | float | Yes | Similarity threshold (0-1). |
embeddingConfig | object | No | Embedding configuration. This parameter is used in semantic mode. |
├─ type | string | Yes | Embedding type: dashscope or azure. |
└─ serviceId | string | Yes | Embedding service ID. |
AiFallback - AI fallback
Scope: Service
Configuration:
{
"enable": true,
"fallbackModelMappings": [
{
"model": "gpt-4",
"fallbackModels": [
{
"serviceId": "backup-service-1",
"model": "gpt-3.5-turbo"
}
]
}
]
}Field | Type | Required | Description |
enable | bool | Yes | Specifies whether to enable the policy. |
fallbackModelMappings | []object | Yes | The list of fallback model mappings. |
├─ model | string | Yes | Original model name. |
└─ fallbackModels | []object | Yes | The list of fallback models. |
├─ serviceId | string | Yes | Fallback service ID. |
└─ model | string | Yes | Fallback model name. |
AiNetworkSearch - AI network search
Scope: Route, LLMApi, AgentApi
Configuration:
{
"enable": true,
"provider": "bing",
"apiKey": "your-search-api-key",
"maxResults": 10,
"timeout": 5000
}Field | Type | Required | Description |
enable | bool | Yes | Specifies whether to enable the policy. |
provider | string | Yes | Search provider. |
apiKey | string | Yes | Search API key. |
maxResults | int | No | Maximum number of results to return. |
timeout | int | No | Timeout in milliseconds. |
AiToolSelection - AI tool selection
Scope: Route, LLMApi, AgentApi
Configuration:
{
"enable": true,
"tools": [
{
"name": "calculator",
"description": "Used for mathematical calculations",
"enabled": true
}
]
}Field | Type | Required | Description |
enable | bool | Yes | Enable |
tools | []object | Yes | The list of tools. |
├─ name | string | Yes | Tool name. |
├─ description | string | Yes | Tool description. |
└─ enabled | bool | Yes | Specifies whether to enable this tool. |
Security and authentication policies
Authentication - Unified authentication
Scope: Route, Gateway, Domain
Configuration:
{
"authenticationType": "key-auth",
"enable": true
}Field | Type | Required | Description |
authenticationType | string | Yes | Authentication type: key-auth, basic-auth, or jwt-auth. |
enable | bool | Yes | Specifies whether to enable the policy. |
JWTAuth - JWT authentication
Scope: Route, Gateway, Domain
Configuration:
{
"name": "jwt-policy",
"issuer": "https://auth.example.com",
"sub": "",
"jwks": "https://auth.example.com/.well-known/jwks.json",
"tokenPosition": "header",
"tokenName": "Authorization",
"tokenNamePrefix": "Bearer ",
"tokenPass": true,
"whiteOrBlack": "",
"authResources": [],
"resources": "",
"enable": true
}Field | Type | Required | Description |
name | string | Yes | Policy name. |
issuer | string | Yes | JWT issuer. |
sub | string | No | Subject. |
jwks | string | Yes | JWKS URI. |
tokenPosition | string | Yes | Token location: header, query, or cookie. |
tokenName | string | Yes | Token field name. |
tokenNamePrefix | string | No | Token prefix, such as "Bearer ". |
tokenPass | bool | Yes | Specifies whether to pass through the token. |
whiteOrBlack | string | No | Whitelist or blacklist mode. |
authResources | []object | No | The list of authentication resources. |
resources | string | No | Resource configuration. |
enable | bool | Yes | Specifies whether to enable the policy. |
OIDCAuth - OIDC authentication
Scope: Route, Gateway, Domain
Configuration:
{
"issuer": "https://accounts.google.com",
"clientId": "your-client-id",
"clientSecret": "your-client-secret",
"redirectUri": "https://your-app.com/callback",
"scopes": ["openid", "profile", "email"],
"enable": true
}Field | Type | Required | Description |
issuer | string | Yes | OIDC provider URL. |
clientId | string | Yes | Client ID. |
clientSecret | string | Yes | Client secret. |
redirectUri | string | Yes | Redirection URI. |
scopes | []string | Yes | The requested scopes. |
enable | bool | Yes | Specifies whether to enable the policy. |
ExternalZAuth - External authentication
Scope: Route, Gateway, Domain
Configuration:
{
"authServiceUrl": "https://auth-service.example.com/verify",
"timeout": 5000,
"enable": true
}Field | Type | Required | Description |
authServiceUrl | string | Yes | External authentication service URL. |
timeout | int | No | Timeout in milliseconds. |
enable | bool | Yes | Enable |
Waf - Web Application Firewall
Scope: Route, Gateway, Domain
Configuration:
{
"enable": true
}Field | Type | Required | Description |
enable | bool | Yes | Specifies whether to enable the policy. |
Service administration policies
ServiceLb - Service load balancing
Scope: Service
Configuration:
{
"loadBalancerType": "ROUND_ROBIN",
"consistentHashLBConfig": {
"parameterName": "user-id",
"httpCookie": {
"name": "session-id",
"path": "/",
"ttl": "3600s"
},
"minimumRingSize": 1024,
"consistentHashLBType": "HEADER"
},
"warmupDuration": 60,
"enable": true
}Field | Type | Required | Description |
loadBalancerType | string | Yes | Load balancing type: ROUND_ROBIN, LEAST_CONN, RANDOM, or CONSISTENT_HASH. |
consistentHashLBConfig | object | No | Consistent hash configuration. This parameter is used when `loadBalancerType` is CONSISTENT_HASH. |
├─ parameterName | string | No | Parameter name. |
├─ httpCookie | object | No | Cookie configuration. |
│ ├─ name | string | Yes | Cookie name. |
│ ├─ path | string | No | Cookie path. |
│ └─ ttl | string | No | Cookie time-to-live (TTL). |
├─ minimumRingSize | int | No | Minimum ring size. |
└─ consistentHashLBType | string | Yes | Hash type: HEADER, COOKIE, SOURCE_IP, or QUERY_PARAMETER. |
warmupDuration | int | No | Warm-up duration in seconds. |
enable | bool | Yes | Specifies whether to enable the policy. |
ServiceTls - Service TLS
Scope: Service
Configuration:
{
"mode": "SIMPLE",
"certId": "cert-id-123",
"caCertId": "ca-cert-id-456",
"caCertContent": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----",
"subjectAltNames": ["*.example.com"],
"sni": "backend-service.example.com",
"enable": true
}Field | Type | Required | Description |
mode | string | Yes | TLS mode: DISABLE, SIMPLE, MUTUAL, or ISTIO_MUTUAL. |
certId | string | No | Certificate ID. |
caCertId | string | No | CA certificate ID. |
caCertContent | string | No | CA certificate content in PEM format. |
subjectAltNames | []string | No | Subject Alternative Names. |
sni | string | No | SNI hostname. |
enable | bool | Yes | Specifies whether to enable the policy. |
ServicePortTls - Service port TLS
Scope: ServicePort
Configuration: Same as ServiceTls.
Error examples and best practices
Error example 1: Incorrect format for the config field
{
"name": "Rate Limit Policy",
"className": "RateLimit",
"config": {"threshold": 100} // Error: config must be a JSON string
}Correct format:
{
"name": "Rate Limit Policy",
"className": "RateLimit",
"config": "{\"threshold\":100,\"behaviorType\":0,\"bodyEncoding\":0,\"responseStatusCode\":429,\"enable\":true}"
}Error example 2: Missing enable field
{
"name": "Rate Limit Policy",
"className": "RateLimit",
"config": "{\"threshold\":100,\"behaviorType\":0,\"bodyEncoding\":0,\"responseStatusCode\":429}" // The enable field is missing
}Correct format:
{
"name": "Rate Limit Policy",
"className": "RateLimit",
"config": "{\"threshold\":100,\"behaviorType\":0,\"bodyEncoding\":0,\"responseStatusCode\":429,\"enable\":true}"
}Response format
Successful response
{
"policyId": "policy-abc123"
}Error response
{
"errorCode": "ErrInvalidParameter",
"errorMessage": "Invalid parameter: className",
"requestId": "req-xxx"
}