Configure Network-layer DDoS Attack Protection via API

Configure the Cloudflare Network-layer DDoS Attack Protection managed ruleset by defining overrides at the account level using the Rulesets API.

Each account has the Network-layer DDoS Attack Protection managed ruleset enabled by default. This means that you do not need to deploy the managed ruleset to the ddos_l4 phase entry point ruleset explicitly. You only have to create a rule in the phase entry point to deploy the managed ruleset if you need to configure overrides.

​​ Configure an override for the Network-layer DDoS Attack Protection managed ruleset

You can define overrides at the ruleset, tag, and rule level for all managed rulesets.

When configuring the Network-layer DDoS Attack Protection managed ruleset, use overrides to define a different action or sensitivity from the default values. For more information on these rule parameters and the allowed values, refer to Managed ruleset parameters.

​​ Example

The following PUT example creates a new phase ruleset (or updates the existing one) for the ddos_l4 phase at the account level. The request includes several overrides to adjust the default behavior of the Network-layer DDoS Attack Protection managed ruleset. These overrides are the following:

• All rules of the Network-layer DDoS Attack Protection managed ruleset will have their sensitivity set to medium.
• All rules tagged with <TAG_NAME> will have their sensitivity set to low.
• The rule with ID <MANAGED_RULESET_RULE_ID> will use the block action.

The overrides apply to all packets matching the rule expression: ip.dst in { 1.1.1.0/24 }.

The response returns the created (or updated) phase entry point ruleset.

For more information on defining overrides for managed rulesets using the Rulesets API, refer to Override a managed ruleset.