> ## Documentation Index
> Fetch the complete documentation index at: https://ngrok.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Protecting Your Endpoints by Denying Unwanted Traffic

> Configure request denial rules in Kubernetes to block unwanted or malicious traffic before it reaches your upstream services.

Whenever your endpoints are exposed to the internet, they will inevitably receive unwanted or malicious traffic. This can include bot activity, unauthorized access attempts, abusive requests, or even potential security threats.

By denying requests at the edge, you can:

🚫 Block unauthorized access attempts before they reach your upstream service. <br />
⚡ Reduce load on backend services by filtering unnecessary traffic. <br />
🔐 Improve security by rejecting requests based on predefined rules. <br />

## 🔍 What are the benefits of denying requests?

Publicly exposed services are constantly targeted by automated scanners, bots, and unwanted traffic.
Even if these requests are not inherently malicious, they can consume resources, increase latency, and degrade performance.

Key Benefits:

* **Reduce Attack Surface:** Stop unauthorized access attempts before they hit your backend.
* **Harden API Security:** Restrict access to only legitimate users and trusted sources.
* **Improve Performance:** Free up server resources by dropping unwanted requests early.
* **Protect Against Malicious Bots & Scanners:** Prevent automated scripts and scrapers from overloading your API.
* Deny requests based on geolocation rules to comply with regulations.
* Prevent excessive requests from bad actors or misconfigured clients.

## Denying requests examples

The following examples set up an endpoint that will deny all traffic unless the client IP is from the EU.

See the [IP Intelligence](/traffic-policy/variables/ip-intel) page for more ways you can check properties of the connecting IP address.
Check out the [deny request Traffic Policy action](/traffic-policy/actions/deny/) page for more details about how it functions and the parameters it accepts.

<Tabs>
  <Tab title="AgentEndpoint">
    ```yaml theme={null}
    apiVersion: ngrok.k8s.ngrok.com/v1alpha1
    kind: AgentEndpoint
    metadata:
      name: example-agent-endpoint
    spec:
      url: https://example-hostname.ngrok.io
      upstream:
        url: http://my-service.my-namespace:8080
      trafficPolicy:
        inline:
          on_http_request:
            - expressions:
                - conn.client_ip.geo.location.is_eu == false
              actions:
                - type: deny
                  config:
                    status_code: 403
    ```
  </Tab>

  <Tab title="CloudEndpoint">
    ```yaml theme={null}
    apiVersion: ngrok.k8s.ngrok.com/v1alpha1
    kind: CloudEndpoint
    metadata:
      name: example-cloud-endpoint
    spec:
      url: https://example-hostname.ngrok.io
      trafficPolicy:
        policy:
          on_http_request:
            - expressions:
                - conn.client_ip.geo.location.is_eu == false
              actions:
                - type: deny
                  config:
                    status_code: 403
    ```
  </Tab>

  <Tab title="Ingress">
    💡 `Ingress` resources do not natively support request denial configuration, but they can be extended using a Traffic Policy.

    ### 1. Create an `NgrokTrafficPolicy`

    ```yaml theme={null}
    apiVersion: ngrok.k8s.ngrok.com/v1alpha1
    kind: NgrokTrafficPolicy
    metadata:
      name: example-tp
      namespace: default
    spec:
      policy:
        on_http_request:
          - expressions:
              - conn.client_ip.geo.location.is_eu == false
            actions:
              - type: deny
                config:
                  status_code: 403
    ```

    ### 2. Use the `NgrokTrafficPolicy` on an `Ingress`

    ```yaml theme={null}
    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      annotations:
        k8s.ngrok.com/traffic-policy: example-tp
      name: example-ingress
      namespace: default
    spec:
      ingressClassName: ngrok
      rules:
        - host: example-hostname.ngrok.io
          http:
            paths:
              - path: /
                pathType: Prefix
                backend:
                  service:
                    name: example-service
                    port:
                      number: 80
    ```
  </Tab>

  <Tab title="Gateway API">
    💡 Gateway API resources do not natively support request denial configuration, but they can be extended using a Traffic Policy.

    ### 1. Create an `NgrokTrafficPolicy`

    ```yaml theme={null}
    apiVersion: ngrok.k8s.ngrok.com/v1alpha1
    kind: NgrokTrafficPolicy
    metadata:
      name: example-tp
      namespace: default
    spec:
      policy:
        on_http_request:
          - expressions:
              - conn.client_ip.geo.location.is_eu == false
            actions:
              - type: deny
                config:
                  status_code: 403
    ```

    ### 2. Use the `NgrokTrafficPolicy` on a `Gateway`

    The following example showcases supplying the `NgrokTrafficPolicy` on a `Gateway` resource. All requests to the `Gateway` will run the Traffic Policy.
    If you prefer, `NgrokTrafficPolicy` can also be used on the route level by using an `externalRef` filter on an `HTTPRoute`. See the [using Gateway API guide](/k8s/guides/using-gwapi) for examples.

    ```yaml theme={null}
    apiVersion: gateway.networking.k8s.io/v1
    kind: Gateway
    metadata:
      name: example-gateway
      namespace: default
      annotations:
        k8s.ngrok.com/traffic-policy: example-tp
    spec:
      gatewayClassName: ngrok
      listeners:
        - name: example-hostname
          hostname: "example-hostname.ngrok.io"
          port: 443
          protocol: HTTPS
    ```
  </Tab>
</Tabs>
