OptionalauthenticationThe authenticated identity the request must match. When unset, the rule matches all users and service principals. On the account-level network policy, scoping to specific identities is not currently supported, so this field must be unset (the rule matches all users and service principals).
OptionaldestinationThe destination the request must match — the resource being accessed, for example the workspace UI, workspace APIs, or account-level APIs. See RequestDestination.
OptionallabelThe label for this ingress rule.
OptionaloriginThe origin the request must match — the private connectivity the request arrives through, for example a specific set of registered endpoints or any endpoint registered to the account. See PrivateRequestOrigin.
An ingress rule is enforced when a request satisfies all specified attributes — including request origin, destination, and authentication.