Shared VPC Firewall Example Policy
ADR-0003 · Author: GitHub Service Account (Deactivated) · Date: 2024-03-29 · Products: platform
Originally
Originally
0002-SHARED-VPC_firewall-example-policy (v5) · Source on Confluence ↗Firewall Policy
Policy and rule evaluation order
Example Policy
| Policy Type | direction | source | destination | action | priority | comment |
|---|---|---|---|---|---|---|
| Org firewall policy | ingress | Known malicious IP addresses TOR exit nodes | any | BLOCK | 1000 | block known bad actors |
| egress | any | Known malicious IP addresses TOR exit nodes | BLOCK | 5000 | ||
| egress | any | any TCP:80/443 | ALLOW | 5500 | ||
implied goto\_next | ||||||
| VPC firewall rules | ingress | 10.0.0.0/8 | 172.16.0.0/12 | ALLOW | 10000 | controlled at Cato WAN firewall |
| egress | 172.16.0.0/12 | 10.0.0.0/8 | ALLOW | 30000 | ||
implied goto\_next | ||||||
| Global network firewall policy | ingress | PROD:ITL | PROD:ITL | ALLOW | 66000 | source and destination IAM-governed tags |
| egress | PROD:ITL | PROD:ITL | ALLOW | 66500 | ||
| ingress | PROD:AIRBOSS | PROD:AIRBOSS | ALLOW | 67000 | ||
| egress | PROD:AIRBOSS | PROD:AIRBOSS | ALLOW | 67500 | ||
| ingress | DEV:ITL | DEV:ITL | ALLOW | 68000 | ||
| egress | DEV:ITL | DEV:ITL | ALLOW | 68500 | ||
| ingress | DEV:AIRBOSS | DEV:AIRBOSS | ALLOW | 69000 | ||
| egress | DEV:AIRBOSS | DEV:AIRBOSS | ALLOW | 69500 | ||
| ingress | any | any | BLOCK | 2147483642 | NIST 800-53 SC-7(5) BOUNDARY PROTECTION | DENY BY DEFAULT — ALLOW BY EXCEPTION | |
| egress | any | any | BLOCK | 2147483643 | ||
implied goto\_next | ||||||
| implicit | ingress | any | any | BLOCK | ||
| egress | any | any | ALLOW | implicit rule not used due to 2147483643 |
Last updated on