Protecting Your Endpoints by Denying Unwanted Traffic
Whenever your endpoints are exposed to the internet, they will inevitably receive unwanted or malicious traffic. This can include bot activity, unauthorized access attempts, abusive requests, or even potential security threats.
By denying requests at the edge, you can:
🚫 Block unauthorized access attempts before they reach your upstream service.
⚡ Reduce load on backend services by filtering unnecessary traffic.
🔐 Improve security by rejecting requests based on predefined rules.
🔍 What are the Benefits of Denying Requests?
Publicly exposed services are constantly targeted by automated scanners, bots, and unwanted traffic. Even if these requests are not inherently malicious, they can consume resources, increase latency, and degrade performance.
Key Benefits:
- Reduce Attack Surface: Stop unauthorized access attempts before they hit your backend.
- Harden API Security: Restrict access to only legitimate users and trusted sources.
- Improve Performance: Free up server resources by dropping unwanted requests early.
- Protect Against Malicious Bots & Scanners: Prevent automated scripts and scrapers from overloading your API.
- Deny requests based on geolocation rules to comply with regulations.
- Prevent excessive requests from bad actors or misconfigured clients.
Denying Requests Examples
The following examples set up an endpoint that will deny all traffic unless the client IP is from the EU.
See the IP Intelligence page for more ways you can check properties of the connecting IP address. Check out the deny request traffic policy action page for more details about how it functions and the parameters it accepts.
- AgentEndpoint
- CloudEndpoint
- Ingress
- Gateway API
apiVersion: ngrok.k8s.ngrok.com/v1alpha1
kind: AgentEndpoint
metadata:
name: example-agent-endpoint
spec:
url: https://example-hostname.ngrok.io
upstream:
url: http://my-service.my-namespace:8080
trafficPolicy:
inline:
on_http_request:
- expressions:
- conn.client_ip.geo.location.is_eu == false
actions:
- type: deny
config:
status_code: 403
apiVersion: ngrok.k8s.ngrok.com/v1alpha1
kind: CloudEndpoint
metadata:
name: example-cloud-endpoint
spec:
url: https://example-hostname.ngrok.io
trafficPolicy:
policy:
on_http_request:
- expressions:
- conn.client_ip.geo.location.is_eu == false
actions:
- type: deny
config:
status_code: 403
💡 Ingress
resources do not natively support request denial configuration, but they can be extended using a traffic policy.
1. Create an NgrokTrafficPolicy
apiVersion: ngrok.k8s.ngrok.com/v1alpha1
kind: NgrokTrafficPolicy
metadata:
name: example-tp
namespace: default
spec:
policy:
on_http_request:
- expressions:
- conn.client_ip.geo.location.is_eu == false
actions:
- type: deny
config:
status_code: 403
2. Use the NgrokTrafficPolicy
on an Ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
k8s.ngrok.com/traffic-policy: example-tp
name: example-ingress
namespace: default
spec:
ingressClassName: ngrok
rules:
- host: example-hostname.ngrok.io
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: example-service
port:
number: 80
💡 Gateway API resources do not natively support request denial configuration, but they can be extended using a traffic policy.
1. Create an NgrokTrafficPolicy
apiVersion: ngrok.k8s.ngrok.com/v1alpha1
kind: NgrokTrafficPolicy
metadata:
name: example-tp
namespace: default
spec:
policy:
on_http_request:
- expressions:
- conn.client_ip.geo.location.is_eu == false
actions:
- type: deny
config:
status_code: 403
2. Use the NgrokTrafficPolicy
on a Gateway
The following example showcases supplying the NgrokTrafficPolicy
on a Gateway
resource. All requests to the Gateway
will run the traffic policy.
If you prefer, NgrokTrafficPolicy
can also be used on the route level by using an externalRef
filter on an HTTPRoute
. See the using Gateway API guide for examples.
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: example-gateway
namespace: default
annotations:
k8s.ngrok.com/traffic-policy: example-tp
spec:
gatewayClassName: ngrok
listeners:
- name: example-hostname
hostname: "example-hostname.ngrok.io"
port: 443
protocol: HTTPS