Configure a Secure Egress Filter

Objective

This guide provides instructions on how to create and apply a secure filter for the egress traffic at the network edge using Volterra platform. Egress filtering is achieved by means of configuring a forward proxy.

A forward proxy connects inside private network with outside public network. See Forward Proxy for more information.


Prerequisites

Note: In case you do not have an account, see Create a VES Account.


Configuration

This guide covers creating and applying a forward proxy to permit traffic to only GitHub and block towards any other destinations on the outside network. The following figure shows the topology of this example:

2
Figure: Forward Proxy Sample Topology

The following figure shows the sequence of steps in creating a Volterra Site:

3
Figure: Forward Proxy Creation Sequence

Configuration Sequence

Applying a forward proxy includes performing the following sequence of actions:

Phase Description
Create Virtual Networks Create virtual networks representing inside and outside networks.
Create Network Interfaces Create network interfaces for the inside and outside networks.
Create Advertise Policy Create an advertise policy and associate with the inside network.
Create Forward Proxy and Fleet Create the forward proxy and add it to a fleet.
Assign Forward Proxy Label to Site Auto generate a label for the proxy and assign it to a site.
Create Service Policy Create a policy with one rule to allow traffic towards only GitHub and another rule that denys traffic to all other destinations

Create Virtual Networks

Step 1: Select the system namespace. Select Manage from the configuration menu and select Networking from the options pane. Select Virtual Network and click Add virtual network.

4
Figure: Create Virtual Network for Inside Network

Step 2: Enter name, labels, and description in the virtual network form. Enter subnet, prefix, and prefix length as per your network planning. Select Site Local Inside for the Network Type field.

Step 3: Repeat Step 1 and Step 2 selecting Site Local Outside for the Network Type field.

6
Figure: Create Virtual Network for Outside Network


Create Network Interfaces

Step 1: Select Manage from the configuration menu and select Networks from the options pane. Select Network Interface and click Add network interface.

Step 2: Enter the configuration parameters as per the following guidelines:

  • Configure name, labels, and description.
  • Select ethernetfor the Type field.
  • Enter 1500 as the value for the MTU field.
  • Click Select virtual network and select the inside virtual network created in the Create Virtual Networks chapter.
  • Select enable for the Enable DHCP client and Enable DHCP server fields.
  • Select disable for the Enable Vlan tagging field.
  • Select eth1 for the Device Name field.

    7
    Figure: Network Interface for Inside Network

Step 3: Click Save changes.

Step 4: Repeat steps from Step 1 to Step 3 with the following values:

  • Configure name, labels, and description.
  • Select ethernetfor the Type field.
  • Enter 1500 as the value for the MTU field.
  • Click Select virtual network and select the outside virtual network created in the Create Virtual Networks chapter.
  • Select disable for the Enable DHCP client and Enable DHCP server fields.
  • Select disable for the Enable Vlan tagging field.
  • Select eth0 for the Device Name field.

    9
    Figure: Network Interface for Outside Network


Create Advertise Policy

Step 1: Select Manage from the configuration menu and Advertise Policies from the options pane. Click Add advertise policy. The advertise policy configuration form gets loaded.

Step 2: Enter configuration as per the following guidelines:

  • Configure name, labels, and description.
  • Select Sitefor the Where field.
  • Click Select ref and select your site for which forward proxy is needed.
  • Select Site Local Inside for the Network Type field.

10
Figure: Advertise Policy for the Forward Proxy


Create Forward Proxy and Fleet

Step 1: Select Manage from the configuration menu and Networking from the options pane. Select Network Connector and click Add network connector.

Step 2: Enter configuration as per the following guidelines:

  • Configure name, labels, and description.

    Note: This example uses a custom label named http-connect-proxy. This name is a sample and does not indicate that it is a HTTP Proxy.

  • Select Default Gateway Snatfor the Network Connector Type field.
  • Select Site Local Network for the Outside Virtual Network Type field.
  • Click Select outside network and select outside network configured in the Create Virtual Networks chapter.
  • Select Site Local Inside Network for the Inside Virtual Network Type field.
  • Click Select inside network and select inside network configured in the Create Virtual Networks chapter.
  • Select Forward Proxy for the Proxy Type field.

11
Figure: Forward Proxy Creation

Note: In case of forward proxy, explicitly configuring virtual host is not required.

Step 3: Select Manage from the configuration menu and Site Management from the options pane. Select Fleet and click Add fleet.

Step 4: Enter configuration as per the following guidelines:

  • Configure name, labels, and description.
  • Click Add device in the Devices field and select eth1 as the device.
  • Select Site Local Inside Network for the Inside Virtual Network Type field.
  • Click Select network connector and the forward proxy configured in Step 2.

12
Figure: Fleet for Forward Proxy


Assign Forward Proxy Label to Site

Volterra automatically generates a label for the fleet configured and you can obtain it from the known labels.

Step 1: Change to the shared namespace. Select Manage from the configuration menu and Labels from the options pane. Select Known Labels and obtain your fleet label. This example shows a sample fleet label named ves.io/fleet(http-connect-proxy).

13
Figure: Known Label for the Forward Proxy Fleet

Step 2: Change to the system namespace. Select Manage from the configuration menu and Site List from the options pane. Select the site to which the forward proxy needs to be applied and click ... at the right end of the site entry. Click edit to open the site edit form.

Step 3: Select ves.io/fleet key in the Labels field and select the value obtained in the Step 1. This example uses the sample http-connect-proxy as the value.

14
Figure: Applying Fleet Label to Site

Note: You can assign the fleet label to more than one site.


Create Service Policy

This example creates one service policy set with two service policies. One policy permits all the traffic to github.com and second policy blocks all other traffic.

16
Figure: Rule Creation Sequence

Step 1: Select Security from the configuration menu and Service Policies from the options pane. Select Policy Rules and click Add service policy rule.

Step 2: Enter name, labels, and description. Select Allow for the Action field.

17
Figure: Rule to Permit Traffic to Github

Step 3: Repeat Step1 and Step 2 selecting Deny for the Action field.

18
Figure: Rule to Block Traffic Other Destinations

Step 4: Select Security from the configuration menu and Service Policies from the options pane. Select Policies and click Add service policy.

Step 5: Select First Rule Match for the Rule Combining Algorithm field. Click Select Ref and select the allow rule configured in the Step 2.

19
Figure: Policy to Permit Traffic

Step 6: Click Server Name Matcher field and enter URLs for the Exact Values field. This example adds www.github.com and github.com as the values.

20
Figure: Policy to Permit Traffic with Server Name Matching

Step 7: Repeat Step 5 and Step 6 with deny rule configured in Step 3 and * in the Exact Values field. This creates policy to block the traffic to non-Github destinations.

21
Figure: Policy to Block Traffic

Servername Matcher Entry:

22
Figure: Policy to Block Traffic with Server Name Matching

Step 7: Select Security from the configuration menu and Service Policies from the options pane. Select Policy Sets and click Add service policy set.

Step 8: Enter name, label, and description. Click Select policy and select the allow and deny policies configured in previous steps.

23
Figure: Service Policy Set with Allow and Deny Policies

Step 9: Verify if the service policies are active. Select Security from the configuration menu and Service Policies from the options pane. Select Policies to view the list of policies. Inspect the Hits field for the number of hits to the policies.

24
Figure: Service Policy Hits

Step 10: Verify if the traffic is allowed for requests to Github but blocked for all other traffic.

27
Figure: Service Policy Hits


Concepts


API References