Defining network policies

Network policies allow you to control layer 3 and 4 traffic between:

The main difference between processing units and external networks is the presence or absence of an Aporeto enforcer.

  • External networks represent hosts without an enforcer.
  • Processing units represent units of computation on hosts with enforcers.

Because external networks represent hosts without enforcers, you can’t control their attempts to initiate or accept connections. However, you can control whether processing units:

  • Initiate connections to external networks.
  • Accept connections from external networks.

The Platform pane of the Aporeto web interface represents external networks with boxes and processing units with octagons.


The above example shows that a malicious-ips external network attempted to connect to the sleepy-sammet processing unit, which represents a Docker nginx image. Aporeto enforced a network policy and blocked the attempt.

You can also use external networks to control access to AWS S3 buckets and RDS instances.

Aporeto provides automations and recipes to make defining external networks easier.

In addition to controlling layer 3 and 4 connections, you can use network policies to:

  • Encrypt layer 3 and 4 communications (recommended).
  • Disable flow logs (advanced).

This section contains step-by-step instructions for common network policy use cases.