Defining network policies
Network policies allow you to control layer 3 and 4 traffic between:
The main difference between processing units and external networks is the presence or absence of an Aporeto enforcer.
- External networks represent hosts without an enforcer.
- Processing units represent units of computation on hosts with enforcers.
Because external networks represent hosts without enforcers, you can’t control their attempts to initiate or accept connections. However, you can control whether processing units:
- Initiate connections to external networks.
- Accept connections from external networks.
The Platform pane of the Aporeto web interface represents external networks with boxes and processing units with octagons.
The above example shows that a
Blacklisted IPs external network attempted to connect to the
docker-nginx processing unit.
docker-nginx processing unit also attempted to connect to the
Blacklisted IPs external network.
Both attempts were blocked by a network policy.
You can also use external networks to control access to AWS S3 buckets and RDS instances.
Aporeto provides automations and recipes to make defining external networks easier.
In addition to controlling layer 3 and 4 connections, you can use network policies to:
- Encrypt layer 3 and 4 communications (recommended).
- Disable flow logs (advanced).
This section contains step-by-step instructions for common network policy use cases.