Skip to content

Restricting Sources for Egress Traffic

In the current security policy rules, the rules were created with the source address as any. Address objects can restrict the egress access to a set of sources other than any. The source address objects can be defined as a static IP/CIDRs (e.g. 10.0.0.212 or 10.0.0.0/16) or dynamic types such instance tags or security groups and more. Static addresses using CIDRs is useful when the environment is static. However, in a cloud environment where the environment is dynamic and agile, it is useful to define the address objects using the cloud resource attributes such as instance tags, security groups, VPCs, subnets and more.

Create Static Subnet Address Object

  1. Navigate to Manage -> Security Policies -> Addresses
  2. Click Create
  3. Provide a name (e.g *spoke1-z1-apps-subnet)
  4. Select the object type as Static
  5. Set the value as 10.0.0.0/24 (this is the subnet spoke1-z1-apps)
  6. Clcik Save the address object

Use Static Subnet in the Policy

  1. Click Manage -> Security Policies -> Rules
  2. Find the ruleset name that is associated with the Egress Gateway
  3. Click the rule set name
  4. We will be changing the source address for https traffic
  5. Click the table row any-egress-https and click Edit
  6. In the editor panel, set the Source to spoke1-z1-apps-subnet and click Save to save the rule
  7. Click Save to save the reuleset
  8. The rule shows spoke1-z1-apps-subnet as a Source Address in the rules table

Traffic for Static Subnet

  1. SSH to the EC2 instance spoke1-z1-app created in the spoke1-vpc
  2. curl https://www.example.com -kv -o /dev/null
  3. You should get a successful response
  4. SSH to the EC2 instance spoke1-z2-app created in the spoke1-vpc
  5. curl https://www.example.com -kv -o /dev/null
  6. This should fail as there is no rule to allow the traffic from this subnet

Dynamic Address Using Instancee Tags

Create a dynamic address object that uses EC2 instance Tags. Valtix Controller discovers all the instances and has a record of all the IP addresses, tags and other attributes. Once a dynamic address object is created and used in the rules, any new instances that appear with the same tags are automatically protected

  1. Go to the AWS console and add the tags to the EC2 instances
    1. Add a tag to the EC2 instance spoke1-z1-app with key Category and value prod
    2. Add a tag to the EC2 instance spoke1-z2-app with key Category and value dev
  2. It might take a minute or 2 for the Valtix Controller to detect the newly added tag
  3. Navigate to Manage -> Security Policies -> Addresses
  4. Click Create
  5. Provide a name (e.g *vm-tag-dev)
  6. Select the object type as User Defined Tag
  7. Check the checkbox Auto Update (this allows the Valtix controller to automatically update the membership of the address object when new resources are discovered)
  8. Select the Cloud Account, region (e.g us-east-1) and VPC (e.g spoke1-vpc)
  9. Select the Instance Tag as Category and the Instance Tag Value as dev
  10. Click Save to save the address object

Click the address object and notice the addresses detected for the tag. You can see both the private and public IP addresses of the spoke1-z2-app instance in the details.

Use Dynamic Address in the Policy

  1. Click Manage -> Security Policies -> Rules
  2. Find the ruleset name that's associated with the Egress Gateway
  3. Click the rule set name
  4. We will be changing the source address for https traffic
  5. Click the table row any-egress-https and click Edit
  6. In the editor panel, set the Source to vm-tag-dev and click Save to save the rule
  7. Click Save to save the ruleset
  8. The rule shows spoke1-z1-apps-subnet as a Source Address in the rules table

Traffic for Dynamic Address

  1. SSH to the EC2 instance spoke1-z1-app created in the spoke1-vpc
  2. curl https://www.example.com -kv -o /dev/null
  3. This should fail for a prod instance as policy rule allows only dev tags
  4. SSH to the EC2 instance spoke1-z2-app created in the spoke1-vpc
  5. curl https://www.example.com -kv -o /dev/null
  6. You should receive a successful response for this dev instance

Go back to the AWS console and change the Category tag on spoke1-z1-app to dev and wait for a minute or two for the Valtix Controller to detect this change.

Check the details of the address object and verify that the IP address of spoke1-z1-app appears.

Re-run the above commands on this instance and verify it is now successful