Restrict inbound API calls using iRule

Yeah, I'd say in that case it seems like a pretty solid approach.

You have a few options, you could use an LTM policy or an iRule. If an iRule, create a datagroup with all the entries in it. You'll be happy when you have to add more in the future. LTM would be able to handle lots of requests vs ASM, but I don't think it sounds like F5 performance will be limiting you here.

The other option would be to use ASM. Many would argue it's overkill for this, but there's some other benefits. You could add all the URL endpoints with a wildcard, like /api/v1/stringa/* /api/v1/stringb/* and then block all the other endpoints. I assumed it's a REST API, but if it's XML/SOAP based, you can also parse it. Obviously bot defense isn't going to help much since your clients are automated. The thing I like about the ASM approach is that another engineer looking at it would see lists of URLs in the GUI vs a scary programming language and datagroups. You'd also get a better interface for seeing the blocks and better built-in logging.

BIG-IP has a lot of tools for the job, so it's really what fits your environment.