If you are replacing the built-in "VXLAN Policy Agent" with your own Policy Enforcement implementation, you can use the Policy Server's internal API to retrieve policy information.
There is a single endpoint to retrieve policies:
GET https://policy-server.service.cf.internal:4003/networking/v1/internal/policies
Additionally, you can use the id query parameter to filter the response to include
only policies with a source or destination that match any of the comma-separated
group_policy_id's that are included.
GET /networking/v1/internal/policies
List all policies optionally filtered to match requested policy_group_id's
Query Parameters (optional):
id: comma-separatedpolicy_group_idvalues
Response Body:
policies: list of policiespolicies[].destination: the destination of the policypolicies[].destination.id: thepolicy_group_idof the destination (currently always anapp_id)policies[].destination.ports: the range ofportsallowed on the destinationpolicies[].destination.ports.start: the first port in the port range allowed on the destinationpolicies[].destination.ports.end: the last port of the port range allowed on the destinationpolicies[].destination.protocol: theprotocolallowed on the destination:tcporudppolicies[].destination.tag: thetagof the source allowed to the destinationpolicies[].source: the source of the policypolicies[].source.id: thepolicy_group_idof the source (currently always anapp_id)policies[].source.tag: thetagof the source allowed to the destination
curl -s \
--cacert certs/ca.crt \
--cert certs/client.crt \
--key certs/client.key \
https://policy-server.service.cf.internal:4003/networking/v1/internal/policies {
"policies": [
{
"destination": {
"id": "eb95ff20-cba8-4edc-8f4a-cf80d0669faf",
"ports": {
"start": 8080,
"end": 8090
},
"protocol": "tcp",
"tag": "0002"
},
"source": {
"id": "4a2d3627-0b8c-42d1-9563-22696eedc05d",
"tag": "0001"
}
},
{
"destination": {
"id": "b611f7e6-c8fe-41cb-b150-92581aafa5c2",
"ports": {
"start": 8080,
"end": 8080
},
"protocol": "tcp",
"tag": "0004"
},
"source": {
"id": "3b348978-a3cb-487c-a277-58fdc3e2c678",
"tag": "0003"
}
},
{
"destination": {
"id": "8fa287c9-0d01-491e-a1d5-d6e2d8a1ef61",
"ports": {
"start": 8080,
"end": 8080
},
"protocol": "tcp",
"tag": "0005"
},
"source": {
"id": "8fa287c9-0d01-491e-a1d5-d6e2d8a1ef61",
"tag": "0005"
}
},
{
"destination": {
"id": "d5bbc5ed-886a-44e6-945d-67df1013fa16",
"ports": {
"start": 5555,
"end": 6666
},
"protocol": "tcp",
"tag": "0006"
},
"source": {
"id": "d5bbc5ed-886a-44e6-945d-67df1013fa16",
"tag": "0006"
}
}
]
}Returns all policies with source or destination id's that match any of the
included policy_group_id's.
curl -s \
--cacert certs/ca.crt \
--cert certs/client.crt \
--key certs/client.key \
https://policy-server.service.cf.internal:4003/networking/v1/internal/policies?id=5351a742-6704-46df-8de0-1a376adab65c,d5bbc5ed-886a-44e6-945d-67df1013fa16{
"policies": [
{
"destination": {
"id": "d5bbc5ed-886a-44e6-945d-67df1013fa16",
"ports": {
"start": 5555,
"end": 6666
},
"protocol": "tcp",
"tag": "0006"
},
"source": {
"id": "d5bbc5ed-886a-44e6-945d-67df1013fa16",
"tag": "0006"
}
},
{
"destination": {
"id": "5351a742-6704-46df-8de0-1a376adab65c",
"ports": {
"start": 5555,
"end": 6666
},
"protocol": "tcp",
"tag": "0007"
},
"source": {
"id": "5351a742-6704-46df-8de0-1a376adab65c",
"tag": "0007"
}
}
]
}