REST Resource: responsePolicyRules

Resource: ResponsePolicyRule

A Response Policy Rule is a selector that applies its behavior to queries that match the selector. Selectors are DNS names, which may be wildcards or exact matches. Each DNS query subject to a Response Policy matches at most one ResponsePolicyRule, as identified by the dnsName field with the longest matching suffix.

JSON representation 
{
  "ruleName": string,
  "kind": string,

  // Union field selector can be only one of the following:
  "dnsName": string
  // End of list of possible types for union field selector.

  // Union field action can be only one of the following:
  "localData": {
    object (LocalData)
  },
  "behavior": enum (Behavior)
  // End of list of possible types for union field action.
}
Fields
ruleName

string

An identifier for this rule. Must be unique with the ResponsePolicy.
kind

string

Union field selector.

selector can be only one of the following:
dnsName

string

The DNS name (wildcard or exact) to apply this rule to. Must be unique within the Response Policy Rule.

Union field action.

action can be only one of the following:
localData

object (LocalData)

Answer this query directly with DNS data. These ResourceRecordSets override any other DNS behavior for the matched name; in particular they override private zones, the public internet, and GCP internal DNS. No SOA nor NS types are allowed.
behavior

enum (Behavior)

Answer this query with a behavior rather than DNS data.

LocalData

JSON representation 
{
  "localDatas": [
    {
      object (ResourceRecordSet)
    }
  ]
}
Fields
localDatas[]

object (ResourceRecordSet)

All resource record sets for this selector, one per resource record type. The name must match the dnsName.

ResourceRecordSet

A unit of data that is returned by the DNS servers.

JSON representation 
{
  "name": string,
  "type": string,
  "ttl": integer,
  "rrdatas": [
    string
  ],
  "signatureRrdatas": [
    string
  ],
  "routingPolicy": {
    object (RRSetRoutingPolicy)
  },
  "kind": string
}
Fields
name

string

For example, www.example.com.
type

string

The identifier of a supported record type. See the list of Supported DNS record types.
ttl

integer

Number of seconds that this ResourceRecordSet can be cached by resolvers.
rrdatas[]

string

As defined in RFC 1035 (section 5) and RFC 1034 (section 3.6.1) -- see examples.
signatureRrdatas[]

string

As defined in RFC 4034 (section 3.2).
routingPolicy

object (RRSetRoutingPolicy)

Configures dynamic query responses based on either the geo location of the querying user or a weighted round robin based routing policy. A valid ResourceRecordSet contains only rrdata (for static resolution) or a routingPolicy (for dynamic resolution).
kind

string

RRSetRoutingPolicy

A RRSetRoutingPolicy represents ResourceRecordSet data that is returned dynamically with the response varying based on configured properties such as geolocation or by weighted random selection.

JSON representation 
{
  "healthCheck": string,
  "kind": string,

  // Union field routing_data can be only one of the following:
  "geoPolicy": {
    object (GeoPolicy)
  },
  "wrrPolicy": {
    object (WrrPolicy)
  },
  "geo": {
    object (GeoPolicy)
  },
  "wrr": {
    object (WrrPolicy)
  },
  "primaryBackup": {
    object (PrimaryBackupPolicy)
  }
  // End of list of possible types for union field routing_data.
}
Fields
healthCheck

string

The fully qualified URL of the HealthCheck to use for this RRSetRoutingPolicy. Format this URL like https://www.googleapis.com/compute/v1/projects/{project}/global/healthChecks/{healthCheck}.

https://documentation.s3ns.fr/compute/docs/reference/rest/v1/healthChecks
kind

string

Union field routing_data.

routing_data can be only one of the following:
geoPolicy
(deprecated)

object (GeoPolicy)
wrrPolicy
(deprecated)

object (WrrPolicy)
geo

object (GeoPolicy)
wrr

object (WrrPolicy)
primaryBackup

object (PrimaryBackupPolicy)

GeoPolicy

Configures a RRSetRoutingPolicy that routes based on the geo location of the querying user.

JSON representation 
{
  "items": [
    {
      object (GeoPolicyItem)
    }
  ],
  "enableFencing": boolean,
  "kind": string
}
Fields
items[]

object (GeoPolicyItem)

The primary geo routing configuration. If there are multiple items with the same location, an error is returned instead.
enableFencing

boolean

Without fencing, if health check fails for all configured items in the current geo bucket, we failover to the next nearest geo bucket. With fencing, if health checking is enabled, as long as some targets in the current geo bucket are healthy, we return only the healthy targets. However, if all targets are unhealthy, we don't failover to the next nearest bucket; instead, we return all the items in the current bucket even when all targets are unhealthy.
kind

string

GeoPolicyItem

ResourceRecordSet data for one geo location.

JSON representation 
{
  "location": string,
  "rrdatas": [
    string
  ],
  "signatureRrdatas": [
    string
  ],
  "healthCheckedTargets": {
    object (HealthCheckTargets)
  },
  "kind": string
}
Fields
location

string

The geo-location granularity is a GCP region. This location string should correspond to a GCP region. e.g. "us-east1", "southamerica-east1", "asia-east1", etc.
rrdatas[]

string
signatureRrdatas[]

string

DNSSEC generated signatures for all the rrdata within this item. When using health-checked targets for DNSSEC-enabled zones, you can only use at most one health-checked IP address per item.
healthCheckedTargets

object (HealthCheckTargets)

For A and AAAA types only. Endpoints to return in the query result only if they are healthy. These can be specified along with rrdata within this item.
kind

string

HealthCheckTargets

HealthCheckTargets describes endpoints to health-check when responding to Routing Policy queries. Only the healthy endpoints will be included in the response.

Set either internalLoadBalancer or externalEndpoints. Do not set both.

JSON representation 
{
  "internalLoadBalancers": [
    {
      object (LoadBalancerTarget)
    }
  ],
  "externalEndpoints": [
    string
  ]
}
Fields
internalLoadBalancers[]

object (LoadBalancerTarget)

Configuration for internal load balancers to be health checked.
externalEndpoints[]

string

The Internet IP addresses to be health checked. The format matches the format of ResourceRecordSet.rrdata as defined in RFC 1035 (section 5) and RFC 1034 (section 3.6.1)

LoadBalancerTarget

The configuration for an individual load balancer to health check.

JSON representation 
{
  "loadBalancerType": enum (LoadBalancerType),
  "ipAddress": string,
  "port": string,
  "ipProtocol": enum (IpProtocol),
  "networkUrl": string,
  "project": string,
  "region": string,
  "kind": string
}
Fields
loadBalancerType

enum (LoadBalancerType)

The type of load balancer specified by this target. This value must match the configuration of the load balancer located at the LoadBalancerTarget's IP address, port, and region. Use the following:

  • regionalL4ilb: for a regional internal passthrough Network Load Balancer.
  • regionalL7ilb: for a regional internal Application Load Balancer.
  • globalL7ilb: for a global internal Application Load Balancer.

ipAddress

string

The frontend IP address of the load balancer to health check.
port

string

The configured port of the load balancer.
ipProtocol

enum (IpProtocol)

The protocol of the load balancer to health check.
networkUrl

string

The fully qualified URL of the network that the load balancer is attached to. This should be formatted like https://www.googleapis.com/compute/v1/projects/{project}/global/networks/{network}.
project

string

The project ID in which the load balancer is located.
region

string

The region in which the load balancer is located.
kind

string

LoadBalancerType

LoadBalancerType indicates the type of load balancer to be health checked.

Enums
NONE
GLOBAL_L7ILB Indicates the load balancer is a Cross-Region Application Load Balancer.
REGIONAL_L4ILB Indicates the load balancer is a Regional Network Passthrough Load Balancer.
REGIONAL_L7ILB Indicates the load balancer is a Regional Application Load Balancer.

IpProtocol

The protocol of the load balancer to health check.

Enums
UNDEFINED
TCP Indicates the load balancer is accessible via TCP.
UDP Indicates the load balancer is accessible via UDP.

WrrPolicy

Configures a RRSetRoutingPolicy that routes in a weighted round robin fashion.

JSON representation 
{
  "items": [
    {
      object (WrrPolicyItem)
    }
  ],
  "kind": string
}
Fields
items[]

object (WrrPolicyItem)
kind

string

WrrPolicyItem

A routing block which contains the routing information for one WRR item.

JSON representation 
{
  "weight": number,
  "rrdatas": [
    string
  ],
  "signatureRrdatas": [
    string
  ],
  "healthCheckedTargets": {
    object (HealthCheckTargets)
  },
  "kind": string
}
Fields
weight

number

The weight corresponding to this WrrPolicyItem object. When multiple WrrPolicyItem objects are configured, the probability of returning an WrrPolicyItem object's data is proportional to its weight relative to the sum of weights configured for all items. This weight must be non-negative.
rrdatas[]

string
signatureRrdatas[]

string

DNSSEC generated signatures for all the rrdata within this item. When using health-checked targets for DNSSEC-enabled zones, you can only use at most one health-checked IP address per item.
healthCheckedTargets

object (HealthCheckTargets)

Endpoints that are health checked before making the routing decision. The unhealthy endpoints are omitted from the result. If all endpoints within a bucket are unhealthy, we choose a different bucket (sampled with respect to its weight) for responding. If DNSSEC is enabled for this zone, only one of rrdata or healthCheckedTargets can be set.
kind

string

PrimaryBackupPolicy

Configures a RRSetRoutingPolicy such that all queries are responded with the primaryTargets if they are healthy. And if all of them are unhealthy, then we fallback to a geo localized policy.

JSON representation 
{
  "primaryTargets": {
    object (HealthCheckTargets)
  },
  "backupGeoTargets": {
    object (GeoPolicy)
  },
  "trickleTraffic": number,
  "kind": string
}
Fields
primaryTargets

object (HealthCheckTargets)

Endpoints that are health checked before making the routing decision. Unhealthy endpoints are omitted from the results. If all endpoints are unhealthy, we serve a response based on the backupGeoTargets.
backupGeoTargets

object (GeoPolicy)

Backup targets provide a regional failover policy for the otherwise global primary targets. If serving state is set to BACKUP, this policy essentially becomes a geo routing policy.
trickleTraffic

number

When serving state is PRIMARY, this field provides the option of sending a small percentage of the traffic to the backup targets.
kind

string

Behavior

Enums
BEHAVIOR_UNSPECIFIED
BYPASS_RESPONSE_POLICY

Skip a less-specific Response Policy Rule and let the query logic continue. This mechanism, when used with wildcard selectors, lets you exempt specific subdomains from a broader Response Policy Rule and direct the queries to the public internet instead. For example, if the following rules exist:

*.example.com -> LocalData 1.2.3.4
foo.example.com -> Behavior 'passthrough'

A query for foo.example.com skips the wildcard rule.

This functionality also facilitates allowlisting. Response Policy Zones (RPZs) can be applied at multiple levels within the hierarchy: for example, an organization, a folder, a project, or a VPC network. If an RPZ rule is applied at a higher level, adding a passthrough rule at a lower level will override it. Queries from affected virtual machines (VMs) to that domain bypass the RPZ and proceed with normal resolution.

Methods

create

 Creates a new Response Policy Rule.

delete

 Deletes a previously created Response Policy Rule.

get

 Fetches the representation of an existing Response Policy Rule.

list

 Enumerates all Response Policy Rules associated with a project.

patch

 Applies a partial update to an existing Response Policy Rule.

update

 Updates an existing Response Policy Rule.