{
"additionalProperties": false,
"description": "Forwarding rule that determine how to forward traffic from a VM. Traffic from VM can either be routed via Overlay or Underlay when VM is on hybrid port. Additionally NAT can be performed for VM or container on overlay to route traffic to/from underlay ROUTE_TO_UNDERLAY - Access a service on underlay space from a VM connected to hybrid port. Eg access to AWS S3 on AWS underlay ROUTE_TO_OVERLAY - Access a service on overlay space from a VM connected to hybrid port. ROUTE_FROM_UNDERLAY - Access a service hosted on a VM (that is connected to hybrid port) from underlay space. Eg access from AWS ELB to VM ROUTE_FROM_OVERLAY - Access a service hosted on a VM (that is connected to hybrid port) from overlay space NAT_FROM_UNDERLAY - Access a service on overlay VM/container from underlay space using DNAT from underlay IP to overlay IP NAT_TO_UNDERLAY - Access an underlay service from a VM/container on overlay space using SNAT from overlay IP to underlay IP",
"extends": {
"$ref": "BaseRule
},
"id": "ForwardingRule",
"module_id": "PolicyForwarding",
"properties": {
"_create_time": {
"$ref": "EpochMsTimestamp,
"can_sort": true,
"description": "Timestamp of resource creation",
"readonly": true
},
"_create_user": {
"description": "ID of the user who created this resource",
"readonly": true,
"type": "string"
},
"_last_modified_time": {
"$ref": "EpochMsTimestamp,
"can_sort": true,
"description": "Timestamp of last modification",
"readonly": true
},
"_last_modified_user": {
"description": "ID of the user who last modified this resource",
"readonly": true,
"type": "string"
},
"_links": {
"description": "The server will populate this field when returing the resource. Ignored on PUT and POST.",
"items": {
"$ref": "ResourceLink
},
"readonly": true,
"title": "References related to this resource",
"type": "array"
},
"_protection": {
"description": "Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.",
"readonly": true,
"title": "Indicates protection status of this resource",
"type": "string"
},
"_revision": {
"description": "The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.",
"title": "Generation of this resource config",
"type": "int"
},
"_schema": {
"readonly": true,
"title": "Schema for this resource",
"type": "string"
},
"_self": {
"$ref": "SelfResourceLink,
"readonly": true,
"title": "Link to this resource"
},
"_system_owned": {
"description": "Indicates system owned resource",
"readonly": true,
"type": "boolean"
},
"action": {
"description": "The action to be applied to all the services",
"enum": [
"ROUTE_TO_UNDERLAY",
"ROUTE_TO_OVERLAY",
"ROUTE_FROM_UNDERLAY",
"ROUTE_FROM_OVERLAY",
"NAT_FROM_UNDERLAY",
"NAT_TO_UNDERLAY"
],
"required": false,
"title": "Action",
"type": "string"
},
"children": {
"description": "subtree for this type within policy tree containing nested elements.",
"items": {
"$ref": "ChildPolicyConfigResource
},
"required": false,
"title": "subtree for this type within policy tree",
"type": "array"
},
"description": {
"can_sort": true,
"maxLength": 1024,
"title": "Description of this resource",
"type": "string"
},
"destination_groups": {
"description": "We need paths as duplicate names may exist for groups under different domains. Along with paths we support IP Address of type IPv4 and IPv6. IP Address can be in one of the format(CIDR, IP Address, Range of IP Address). In order to specify all groups, use the constant \"ANY\". This is case insensitive. If \"ANY\" is used, it should be the ONLY element in the group array. Error will be thrown if ANY is used in conjunction with other values.",
"items": {
"type": "string"
},
"maxItems": 128,
"required": false,
"title": "Destination group paths",
"type": "array"
},
"destinations_excluded": {
"default": false,
"description": "If set to true, the rule gets applied on all the groups that are NOT part of the destination groups. If false, the rule applies to the destination groups",
"readonly": false,
"required": false,
"title": "Negation of destination groups",
"type": "boolean"
},
"direction": {
"default": "IN_OUT",
"description": "Define direction of traffic.",
"enum": [
"IN",
"OUT",
"IN_OUT"
],
"required": false,
"title": "Direction",
"type": "string"
},
"disabled": {
"default": false,
"description": "Flag to disable the rule. Default is enabled.",
"readonly": false,
"required": false,
"title": "Flag to disable the rule",
"type": "boolean"
},
"display_name": {
"can_sort": true,
"description": "Defaults to ID if not set",
"maxLength": 255,
"title": "Identifier to use when displaying entity in logs or GUI",
"type": "string"
},
"id": {
"can_sort": true,
"title": "Unique identifier of this resource",
"type": "string"
},
"ip_protocol": {
"description": "Type of IP packet that should be matched while enforcing the rule. The value is set to IPV4_IPV6 for Layer3 rule if not specified. For Layer2/Ether rule the value must be null.",
"enum": [
"IPV4",
"IPV6",
"IPV4_IPV6"
],
"readonly": false,
"required": false,
"title": "IPv4 vs IPv6 packet type",
"type": "string"
},
"is_default": {
"description": "A flag to indicate whether rule is a default rule.",
"readonly": true,
"required": false,
"title": "Default rule flag",
"type": "boolean"
},
"logged": {
"default": false,
"description": "Flag to enable packet logging. Default is disabled.",
"readonly": false,
"required": false,
"title": "Enable logging flag",
"type": "boolean"
},
"marked_for_delete": {
"default": false,
"description": "Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object gets deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.",
"readonly": true,
"required": false,
"title": "Indicates whether the intent object is marked for deletion",
"type": "boolean"
},
"notes": {
"description": "Text for additional notes on changes.",
"maxLength": 2048,
"readonly": false,
"required": false,
"title": "Text for additional notes on changes",
"type": "string"
},
"overridden": {
"default": false,
"description": "Global intent objects cannot be modified by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.",
"readonly": true,
"required": false,
"title": "Indicates whether this object is the overridden intent object",
"type": "boolean"
},
"parent_path": {
"description": "Path of its parent",
"readonly": true,
"required": false,
"title": "Path of its parent",
"type": "string"
},
"path": {
"description": "Absolute path of this object",
"readonly": true,
"required": false,
"title": "Absolute path of this object",
"type": "string"
},
"profiles": {
"description": "Holds the list of layer 7 service profile paths. These profiles accept attributes and sub-attributes of various network services (e.g. L4 AppId, encryption algorithm, domain name, etc) as key value pairs.",
"items": {
"type": "string"
},
"maxItems": 128,
"required": false,
"title": "Layer 7 service profiles",
"type": "array"
},
"relative_path": {
"description": "Path relative from its parent",
"readonly": true,
"required": false,
"title": "Relative path of this object",
"type": "string"
},
"resource_type": {
"description": "The type of this resource.",
"readonly": false,
"type": "string"
},
"rule_id": {
"description": "This is a unique 4 byte positive number that is assigned by the system. This rule id is passed all the way down to the data path. The first 1GB (1000 to 2^30) will be shared by GM and LM with zebra style striped number space. For E.g 1000 to (1Million -1) by LM, (1M - 2M-1) by GM and so on.",
"readonly": true,
"required": false,
"title": "Unique rule ID",
"type": "integer"
},
"scope": {
"description": "The list of policy paths where the rule is applied LR/Edge/T0/T1/LRP etc. Note that a given rule can be applied on multiple LRs/LRPs.",
"items": {
"type": "string"
},
"maxItems": 128,
"required": false,
"type": "array"
},
"sequence_number": {
"description": "This field is used to resolve conflicts between multiple Rules under Security or Gateway Policy for a Domain If no sequence number is specified in the payload, a value of 0 is assigned by default. If there are multiple rules with the same sequence number then their order is not deterministic. If a specific order of rules is desired, then one has to specify unique sequence numbers or use the POST request on the rule entity with a query parameter action=revise to let the framework assign a sequence number",
"minimum": 0,
"required": false,
"title": "Sequence number of the this Rule",
"type": "int"
},
"service_entries": {
"description": "In order to specify raw services this can be used, along with services which contains path to services. This can be empty or null.",
"items": {
"$ref": "ServiceEntry
},
"maxItems": 128,
"required": false,
"title": "Raw services",
"type": "array"
},
"services": {
"description": "In order to specify all services, use the constant \"ANY\". This is case insensitive. If \"ANY\" is used, it should be the ONLY element in the services array. Error will be thrown if ANY is used in conjunction with other values.",
"items": {
"type": "string"
},
"maxItems": 128,
"required": false,
"title": "Names of services",
"type": "array"
},
"source_groups": {
"description": "We need paths as duplicate names may exist for groups under different domains. Along with paths we support IP Address of type IPv4 and IPv6. IP Address can be in one of the format(CIDR, IP Address, Range of IP Address). In order to specify all groups, use the constant \"ANY\". This is case insensitive. If \"ANY\" is used, it should be the ONLY element in the group array. Error will be thrown if ANY is used in conjunction with other values.",
"items": {
"type": "string"
},
"maxItems": 128,
"required": false,
"title": "Source group paths",
"type": "array"
},
"sources_excluded": {
"default": false,
"description": "If set to true, the rule gets applied on all the groups that are NOT part of the source groups. If false, the rule applies to the source groups",
"readonly": false,
"required": false,
"title": "Negation of source groups",
"type": "boolean"
},
"tag": {
"description": "User level field which will be printed in CLI and packet logs.",
"required": false,
"title": "Tag applied on the rule",
"type": "string"
},
"tags": {
"items": {
"$ref": "Tag
},
"maxItems": 30,
"title": "Opaque identifiers meaningful to the API user",
"type": "array"
},
"unique_id": {
"description": "This is a UUID generated by the GM/LM to uniquely identify entites in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.",
"readonly": true,
"required": false,
"title": "A unique identifier assigned by the system",
"type": "string"
}
},
"title": "Forwarding rule",
"type": "object"
}