For apps/services hosted on the system domain that get their route by
publishing to nats or the routing-api, I believe it only requires
registering the route with the additional route_service_url. See the
routing-api-cli [1] for example usage.

As for api, login, etc, many of these components are now using a shared
route registrar job. I could imagine that job being extended to take a
configurable route_service_url.

As an FYI, I've been considering using route services for cloud controller
for rate limiting in the future.

[1] https://github.com/cloudfoundry-incubator/routing-api-cli

On Mon, Nov 9, 2015 at 8:56 PM, Carlo Alberto Ferraris <
carlo.ferraris(a)rakuten.com> wrote:

Our use case include restricting access to some hostnames on the system
domain (e.g. api/login/etc.) as well as others that we may add externally.
From a cursory read of the proposed spec it sounds like route services are
designed to be bound to apps running in CF, so IIUC it wouldn't be possible
to deny/allow connections to non-app endpoints.