Volterra Network Rule Reference

Objective

This document provides information on Volterra predefined network policy rules that ensure communication between the Volterra services regardless of user defined network rules. For more information on Volterra networks and network policies, see Networking and Network Policies respectively.

Use the information provided in this guide to understand the predefined network rules and plan user defined policies to control the ingress and egress traffic for your network. See Configure Network Policies document for instructions on how to configure network policies.


Volterra Predefined Network Policies

Volterra supports user defined network policy rules on site local and site local inside networks. However, Volterra internal services that communicate with each other over the site local or site local inside networks. The user defined network policies also apply to these services and this might cause drops to legitimate Volterra traffic.

Volterra provides predefined network policy rules known as P0 and P1 rules which ensure that the basic Volterra service communication is never stopped. These rules also make it possible to login to the CE site node and perform recovery in case of failures.

The Volterra network policies are applied in following sequence of rules:

  1. P0 Network Policy rules
  2. P1 Network Policy rules
  3. User defined Network Policy rules

P0 Network Policy

The P0 rules are applied such that basic connectivity to the CE site and connection from CE site to RE site is never lost regardless of user defined network policy rules.

Example P0 Network Policies currently are:

  • IPSec traffic from CE to RE is always allowed
  • SSH to the server from site local network is always allowed
  • ETCD access to and from server is always allowed

P0 Policies on Site Local Network

The following chapters provide the P0 rules applied on the site local network:

Ingress Rules

ID Rule Action Description
0 Proto: UDP PASS Allow outgoing IPSec packets
Source: 0.0.0.0/0
Source port: 4500
Destination: 0.0.0.0/0
Destination port: 4500:4500
1 Proto: TCP PASS Allow outgoing SSL, ETCD
Source: 0.0.0.0/0 DNS, KUBE API Server
Source port: 0:65535
Destination: 0.0.0.0/0
Destination port: 443, 2379, 23791,
2380, 23801, 53, 6443, 1194
2 Proto: UDP PASS Allow outgoing DHCP, DNS
Source: 0.0.0.0/0
Source port: *
Destination: 0.0.0.0/0
Destination port: 67, 68, 53

Egress Rules

ID Rule Action Description
0 Proto: TCP PASS Allow incoming SSL, ETCD,
Source: 0.0.0.0/0 Kube API Server, Vega
Source port: *
Destination: 0.0.0.0/0
Destination port: 22, 2379, 23791, 2380,
23801, 53, 6443, 9505, 1194
1 Proto: UDP PASS Allow incoming DNS
Source: 0.0.0.0/0
Source port: *
Destination: 0.0.0.0/0
Destination port: 53

P0 Egress Rules for Site Local Inside Network

ID Rule Action Description
0 Proto: TCP PASS Allow incoming SSL
Source: 0.0.0.0/0
Source port: *
Destination: 0.0.0.0/0
Destination port: 22

P1 Network Policies

The P1 network policies are configured for virtual networks and applied to all interfaces on the virtual network. The P1 network policy is used to implement security rules and to restrict access to Volterra services from unauthorised clients.

The P1 network policies are applied as ongoing configuration and can be updated dynamically with SRE scripts. SRE administrators can modify the rules dynamically.

P1 Policies on Site Local Network

The following chapters provide the P1 rules applied on the site local network:

Ingress Rules

ID Rule Action Description
0 Proto: TCP PASS Allow outgoing to AWS Metadata Service
Source: 0.0.0.0/0
Source port: *
Destination: 169.254.169.254/32
Destination port: *
1 Proto: * PASS Allow outgoing from IP-Fabric and VER Instance
Source: Label is ves.io/interface=ver-instance or ves.io/interface=ip-fabric
Source port: *
Destination: Label is ves.io/interface=ver-instance or ves.io/interface=ip-fabric
Destination port:*

Egress Rules

ID Rule Action Description
0 Proto: * PASS Allow all incoming from IP Fabric
Source: Label is ves.io/interface=ip-fabric
Source Port: *
Destination: *
Destination Port : *
1 Proto: * PASS Allow all incoming from VER Instance
Source: Label is ves.io/interface=ver-instance
Source Port: *
Destination: *
Destination Port : *
2 Proto: TCP PASS Allow all incoming to Voucer from any client
Source: 0.0.0.0/0
Source port: *
Destination: Label is ves.io/interface=ver-instance
Destination port: 8443:8444 9505:9505
3 Proto: TCP DENY Deny access to VER Services from non VER Instance
Source : Label ves.io/interface!=ver-instance
Source Port: *
Destination: Label ves.io/interface=ver-instance
Destination port: 8005-8007, 8443-8444, 8505-8507, 9005-9007
9090, 9505-9507, 9100, 9115, 9999, 20914, 30805, 30855, 30905
30955, 32222, 18091-18095, 65000-65001, 65011-65012 65333-65334
4 Proto: UDP DENY Allow incoming to UDP 3784 from non VER Instance
Source : Label ves.io/interface!=ver-instance
Source port:
Destination: 0.0.0.0/0 ::/0
Destination port: 3784:3784
5 Proto: * PASS Allow communication between IP-Fabirc and VER Instance
Source: Label is ves.io/interface=ver-instance or ves.io/interface=ip-fabric
Source port: *
Destination: Label is ves.io/interface=ver-instance or ves.io/interface=ip-fabric
Destination port:*
6 Proto: TCP PASS Allow outgoing to AWS Metadata Service
Source: 0.0.0.0/0
Source port: *
Destination: 169.254.169.254/32
Destination port: *

P1 Policies on Site Local Inside Network

The following chapters provide the P1 rules applied on the site local inside network:

Ingress Rules

ID Rule Action Description
0 Proto: * PASS Allow outgoing from IP-Fabric and VER Instance
Source: Label is ves.io/interface=ver-instance or ves.io/interface=ip-fabric
Source port: *
Destination: Label is ves.io/interface=ver-instance or ves.io/interface=ip-fabric
Destination port:*

Egress Rules

ID Rule Action Description
0 Proto: * PASS Allow all incoming from VER Instance
Source: Label is ves.io/interface=ver-instance
Source Port: *
Destination: *
Destination Port : *
1 Proto: TCP PASS Allow all incoming to Voucer from any client
Source: 0.0.0.0/0
Source port: *
Destination: Label is ves.io/interface=ver-instance
Destination port: 8443:8444 9505:9505
2 Proto: TCP DENY Deny access to VER Services from non VER Instance
Source : Label ves.io/interface!=ver-instance
Source Port: *
Destination: Label ves.io/interface=ver-instance
Destination port: 8005-8007, 8443-8444, 8505-8507, 9005-9007
9090, 9505-9507, 9100, 9115, 9999, 20914, 30805, 30855, 30905
30955, 32222, 18091-18095, 65000-65001, 65011-65012 65333-65334
3 Proto: UDP DENY Allow incoming to UDP 3784 from non VER Instance
Source : Label ves.io/interface!=ver-instance
Source port:
Destination: 0.0.0.0/0 ::/0
Destination port: 3784:3784
4 Proto: * PASS Allow communication between IP-Fabirc and VER Instance
Source: Label is ves.io/interface=ver-instance or ves.io/interface=ip-fabric
Source port: *
Destination: Label is ves.io/interface=ver-instance or ves.io/interface=ip-fabric
Destination port:*