Network Policies

Objective

This guide provides instructions on how to create a network policy using the guided wizards in VoltConsole. The network policies are applied to traffic ingressing, egressing or originated on the Volterra Gateway. To know more about the network policy, see Volterra Network Policy.

Using the instructions provided in this document, you can create network policies with policy rules controlling the traffic to secure your network.


Prerequisites


Configuration

The following video shows the network policy creation:


Create Network Policy

Log into VoltConsole and perform the following:

Step 1: Navigate to network policy configuration and start creating a policy.
  • Select Security -> Firewall -> Network Policies in the System namespace.
  • Click Add network policy. Set a name in the Metadata section.
Step 2: Configure endpoint.
  • For the Select Endpoint option in the Attachment section, you can select between:

    • IP Prefix List
    • Any Endpoints
    • Endpoints reachable via all Outside Interfaces
    • Endpoints reachable via all Inside Interfaces
    • Label Selector - a Label that identifies an Endpoint

ep new
Figure: Endpoint selection - IPv4 Prefix List and the prefix

Step 3: Configure rules.
  • Configure Ingress Rules or Egress Rules (or both) to define the direction in which you want to apply your policies. The ingress and egress rules are with respect to the endpoint configured.

image7
Figure: Ingress and Egress rules

  • Click Configure in the Ingress section and click Add item in the ingress rule configuration. Configure the rules as per the following guidelines:

    • Set a name in the Rule Name field and select an action in the Action field.
    • Select an endpoint type for the Select Other Endpoint field and enter endpoint configuration accordingly. All endpoints are set by default.
    • Select an option for the Select Type of Traffic to Match. Using this you can selectively apply the rule for traffic type such as TCP traffic. All traffic is matched by default.
    • Click Apply.

This example shows an ingress rule that denies all ingress traffic.

ingress
Figure: Ingress Rule Configuration

  • Click Configure in the egress section and click Add item in the ingress rule configuration. Configure the rule in the same way as the ingress rule. Click Apply.

Note: You can add more rules using the Add item option.

Step 4: Complete network policy creation.

Click Save and Exit. Verify that the policy gets displayed on the Security-> Firewall -> Network Policies view.

Note: When you create an active network policy, an implicit DENY ALL rule is inserted at the end. So if you are selecting traffic to DENY and you want everything else to be allowed, ensure to create, at the end of your policies, one last policy which allows ALL traffic.

Step 5: Attach the policy to network firewall.

After creating the network policy, you can attach it to the network firewall.

  • Select Security -> Firewall -> Network Firewall in the System namespace.
  • Click ... -> Edit for your firewall from the displayed list.
  • Go to Network Policy Configuration section and select Active Network Policies in the Select Network Policy Configuration field.
  • Select the created network policy from the drop-down list for the Network Policy field.
  • Ensure that you insert a policy that allows all traffic at the end.

Note: You can add multiple policies using the Add item option.

Step 6: Verify the network policy operation.
  • Select Security -> Firewall -> Network Policies in the System namespace.
  • Check the Hits field for the displayed list of network policies. This indicates how many times network policy is applied to the traffic.

nw pol hits
Figure: Policy Hits

  • Click on the value of Hits to display the which rules are applied and how many times they are applied.

rule hits
Figure: Rule Hits

Note: You can obtain the policy or rule hits over a specific time interval using the time interval selector option.


Concepts


API References