I have an automated firewall sync script that keeps VPS firewall rules in sync with upstream CDN IP lists, so that the VPS cannot be accessed by anything other than the CDN. Some CDNs don't have neat and tidy CIDR blocks (like Cloudflare does, for example), and have, instead, hundreds of individual IPs (like Bunny). This translates to around 400-800 rules that need to be managed.
Currently, the only way to manage rules is one at a time using the existing API endpoints.
POST /api/vps/v1/firewall/<firewallId>/rules to add one rule.PUT /api/vps/v1/firewall/<firewallId>/rules/<ruleId> to update one rule.DELETE /api/vps/v1/firewall/<firewallId>/rules/<ruleId> to delete one rule.
With 400-800 rules, this quickly hits rate limits and makes the operation take an unreasonably long time. Therefore, I think it would be helpful to have a couple of endpoints that allow adding, deleting, or replacing multiple rules in a single request.
I don't have any strong prefrence on the exact API design. But, here are a couple of ideas.
-
Bulk create: POST /api/vps/v1/firewall/<firewallId>/rules/bulk
Add multiple rules in one request.
Example request:
{
"rules": [
{
"action": "accept",
"protocol": "TCP",
"port": "443",
"source": "custom",
"source_detail": "173.245.48.0/20"
},
{
"action": "accept",
"protocol": "TCP",
"port": "443",
"source": "custom",
"source_detail": "103.21.244.0/22"
}
]
}Example response:
{
"created_rule_ids": [12345, 12346]
}
-
Bulk delete: DELETE /api/vps/v1/firewall/<firewallId>/rules/bulk
Delete multiple rules by their IDs in one request.
Example request:
{ "rule_ids": [12345, 12346, 12347] }Example response:
{
"deleted_rule_ids": [12345, 12346, 12347]
}
-
Bulk update: PUT /api/vps/v1/firewall/<firewallId>/rules/bulk
Update multiple existing rules by their IDs in one request.
Example request:
{
"rules": [
{
"id": 12345,
"action": "accept",
"protocol": "TCP",
"port": "8080",
"source": "custom",
"source_detail": "173.245.48.0/20"
},
{
"id": 12346,
"action": "drop",
"protocol": "TCP",
"port": "443",
"source": "custom",
"source_detail": "103.21.244.0/22"
}
]
}Example response:
{
"updated_rule_ids": [12345, 12346]
}
-
Replace all: PUT /api/vps/v1/firewall/<firewallId>/rules
Replace the entire rule set with the provided list.
Example request:
{
"rules": [
{
"action": "accept",
"protocol": "TCP",
"port": "443",
"source": "custom",
"source_detail": "173.245.48.0/20"
},
{
"action": "accept",
"protocol": "TCP",
"port": "443",
"source": "custom",
"source_detail": "103.21.244.0/22"
}
]
}Example response:
{
"created_rule_ids": [12345, 12346]
}
Even with pagination or maximum batch sizes, this would reduce the number of API calls from hundreds to just a few and completely bypass the rate limiting issues that arise from such a syncronization, and presumably be more efficient on the server side. Such an API would also have the benefit of making such bulk updates atomic, so that it's not possible for a sync like this to be interrupted halfway and leave the firewall with only some of the rules updated.
I have an automated firewall sync script that keeps VPS firewall rules in sync with upstream CDN IP lists, so that the VPS cannot be accessed by anything other than the CDN. Some CDNs don't have neat and tidy CIDR blocks (like Cloudflare does, for example), and have, instead, hundreds of individual IPs (like Bunny). This translates to around 400-800 rules that need to be managed.
Currently, the only way to manage rules is one at a time using the existing API endpoints.
POST /api/vps/v1/firewall/<firewallId>/rulesto add one rule.PUT /api/vps/v1/firewall/<firewallId>/rules/<ruleId>to update one rule.DELETE /api/vps/v1/firewall/<firewallId>/rules/<ruleId>to delete one rule.With 400-800 rules, this quickly hits rate limits and makes the operation take an unreasonably long time. Therefore, I think it would be helpful to have a couple of endpoints that allow adding, deleting, or replacing multiple rules in a single request.
I don't have any strong prefrence on the exact API design. But, here are a couple of ideas.
Bulk create:
POST /api/vps/v1/firewall/<firewallId>/rules/bulkAdd multiple rules in one request.
Example request:
{ "rules": [ { "action": "accept", "protocol": "TCP", "port": "443", "source": "custom", "source_detail": "173.245.48.0/20" }, { "action": "accept", "protocol": "TCP", "port": "443", "source": "custom", "source_detail": "103.21.244.0/22" } ] }Example response:
{ "created_rule_ids": [12345, 12346] }Bulk delete:
DELETE /api/vps/v1/firewall/<firewallId>/rules/bulkDelete multiple rules by their IDs in one request.
Example request:
{ "rule_ids": [12345, 12346, 12347] }Example response:
{ "deleted_rule_ids": [12345, 12346, 12347] }Bulk update:
PUT /api/vps/v1/firewall/<firewallId>/rules/bulkUpdate multiple existing rules by their IDs in one request.
Example request:
{ "rules": [ { "id": 12345, "action": "accept", "protocol": "TCP", "port": "8080", "source": "custom", "source_detail": "173.245.48.0/20" }, { "id": 12346, "action": "drop", "protocol": "TCP", "port": "443", "source": "custom", "source_detail": "103.21.244.0/22" } ] }Example response:
{ "updated_rule_ids": [12345, 12346] }Replace all:
PUT /api/vps/v1/firewall/<firewallId>/rulesReplace the entire rule set with the provided list.
Example request:
{ "rules": [ { "action": "accept", "protocol": "TCP", "port": "443", "source": "custom", "source_detail": "173.245.48.0/20" }, { "action": "accept", "protocol": "TCP", "port": "443", "source": "custom", "source_detail": "103.21.244.0/22" } ] }Example response:
{ "created_rule_ids": [12345, 12346] }Even with pagination or maximum batch sizes, this would reduce the number of API calls from hundreds to just a few and completely bypass the rate limiting issues that arise from such a syncronization, and presumably be more efficient on the server side. Such an API would also have the benefit of making such bulk updates atomic, so that it's not possible for a sync like this to be interrupted halfway and leave the firewall with only some of the rules updated.