The ai.promptGuard policy inspects LLM request prompts and/or model responses before they are forwarded. Guards can be applied to request (incoming user prompts) and response (model output) independently. Multiple guards can be chained in each list.
ai.promptGuard is part of the ai policy, which marks a route as LLM traffic:binds : - port : 3000 listeners : - routes : - policies : ai : promptGuard : request : - regex : action : reject rules : - pattern : SSN response : - bedrockGuardrails : guardrailIdentifier : my-guardrail guardrailVersion : DRAFT region : us-west-2
Guard types Each item in request[] or response[] is exactly one of the following guard types:
Regex
Webhook
OpenAI Moderation
Bedrock Guardrails
Google Model Armor
Inspect content using regular expression patterns. Supports both custom patterns and built-in named patterns for common PII types. Regex-based content guard. Action to take when a rule matches. Valid values: reject. A list of match rules. Each rule is either a builtin named pattern or a custom pattern. A built-in named pattern. Currently supported values include email. A custom regular expression string to match against message content. rules : - pattern : SSN - pattern : Social Security
Example — reject requests containing PII: ai : promptGuard : request : - regex : action : reject rules : - pattern : SSN - pattern : Social Security rejection : status : 400 headers : set : content-type : "application/json" body : | { "error": { "message": "Request rejected: Content contains sensitive information", "type": "invalid_request_error", "code": "content_policy_violation" } } - regex : action : reject rules : - builtin : email rejection : status : 400 body : '{"error": {"message": "Contains email address"}}'
Forward content to an external HTTP service for inspection. The service returns an allow or deny decision. Webhook-based content guard. The external service to forward content to. One of service, host, or backend must be set. Hostname or IP address (with port) of the webhook service.
Reference to a named service. Namespace of the service.
Explicit backend reference. The backend must be defined in the top-level backends list.
A list of request headers to forward to the webhook service. Each entry matches by header name and optional value. Show forwardHeaderMatches fields
Example: ai : promptGuard : request : - webhook : target : host : "guard-service:8080" forwardHeaderMatches : - name : x-user-id
Use the OpenAI Moderation API to classify content. OpenAI Moderation API-based content guard. Show openAIModeration fields
openAIModeration.model
string
default: "omni-moderation-latest"
The moderation model to use. Defaults to omni-moderation-latest. model : omni-moderation-latest
openAIModeration.policies
Backend connection policies for the OpenAI API (TLS, auth, headers, etc.). Supports the same policy fields as other backend connections.
Example: ai : promptGuard : request : - openAIModeration : model : omni-moderation-latest
Use AWS Bedrock Guardrails to evaluate content. AWS Bedrock Guardrails-based content guard. Show bedrockGuardrails fields
bedrockGuardrails.guardrailIdentifier
The unique identifier of the Bedrock guardrail to invoke. guardrailIdentifier : bedrock-guardrail-identifier
bedrockGuardrails.guardrailVersion
The version of the guardrail (e.g. DRAFT or a version number). The AWS region where the guardrail is deployed. bedrockGuardrails.policies
Backend policies for AWS authentication. When omitted, implicit AWS credential chain authentication is used.
Example: ai : promptGuard : request : - bedrockGuardrails : guardrailIdentifier : bedrock-guardrail-identifier guardrailVersion : DRAFT region : us-west-2 response : - bedrockGuardrails : guardrailIdentifier : bedrock-guardrail-identifier guardrailVersion : DRAFT region : us-west-2
Use Google Cloud Model Armor to evaluate content. Google Cloud Model Armor-based content guard. Show googleModelArmor fields
googleModelArmor.templateId
The Model Armor template ID to use. templateId : model-armor-template-id
googleModelArmor.projectId
The GCP project ID where Model Armor is configured. projectId : my-gcp-project
googleModelArmor.location
string
default: "us-central1"
The GCP region. Defaults to us-central1. googleModelArmor.policies
Backend policies for GCP authentication. When omitted, implicit GCP credential chain authentication is used.
Example: ai : promptGuard : request : - googleModelArmor : templateId : model-armor-template-id projectId : model-armor-project-id location : us-central1 response : - googleModelArmor : templateId : model-armor-template-id projectId : model-armor-project-id location : us-central1
Rejection configuration Each guard entry can include a rejection block that customizes the HTTP response returned when the guard denies a request.
Configures the HTTP response sent to the client when the guard rejects a request. HTTP status code to return. Defaults to 403. Response body to send. Supports multi-line strings. rejection : body : | {"error": {"message": "Request rejected"}}
Headers to add, set, or remove from the rejection response. Show rejection.headers fields
Headers to add to the rejection response.
Headers to set on the rejection response (overrides existing values). rejection : headers : set : content-type : "application/json"
Header names to remove from the rejection response.
Guard chaining Multiple guards can be listed under request[] or response[]. Guards are evaluated in order. If any guard rejects the content, the associated rejection response is returned immediately and subsequent guards are not evaluated.
ai : promptGuard : request : - regex : # evaluated first action : reject rules : - pattern : SSN rejection : status : 400 body : 'Rejected: contains SSN' - regex : # evaluated second (only if first passes) action : reject rules : - builtin : email rejection : status : 400 body : 'Rejected: contains email'
The ai.promptGuard policy only applies to routes that process LLM traffic. The parent ai policy must be set on the route for prompt guard to take effect.
