The Connection policy controls connections between workloads in Panoptica, including connections with external applications (that is, applications not running on a Panoptica environment). It consists of rules of the form 'allow connections between source S and destination D' or 'restrict connections between source X and destination Y'. In these rules, the source and destination are workloads, environments, or external applications.
You can also define rules to enforce encrypted communication between workloads.
Add a Connections rule
The rule has three sections:
- STEP 1 - Rule Properties
- STEP 2 - the Source workloads
- STEP 3 - the Destination workloads
- STEP 4 - Layer 7 protocol options
- Navigate to the Policies page, and then select CONNECTION RULES.
- Click New Connections rule.
STEP 1 - Select Rule Properties
Set the name for the rule, and select the rule properties. These are the actions to be taken when the rule is applied.
- Enter a name for the rule, as it will appear in Panoptica UI.
- Select the action:
- Allow only the connection between the source and destination - connections are permitted between the selected source and destination workloads
- Detect the connection between the source and destination - connections are permitted between the selected source and destination workloads, but an event is recorded in the Audit log.
- Block the connection between the source and destination - connections between the selected source and destination workloads are blocked, and an event is recorded in the Audit log.
- If you want to apply the policy to HTTPS traffic, set Intercept HTTPS traffic to Yes. Rules for HTTPS traffic can only be applied on some types of workloads. It may also disrupt the behavior of the workload. Consult with Cisco support when applying this option.
- Click NEXT.
STEP 2 - Select Source Workloads
Select the source workloads on which the rule will apply. You can select workloads according to various properties:
- First, select how the workload will be selected, from the drop-down list.
Select from these options:
- Any - select any workload
- Environment - according to the environment in which the workload is running. If selected, then select the environment by Name, Risk Level, or select any environment.
- Expansion - according to the Service Mesh Expansion on which the workload is running. If selected, then select the expansion by Name, Label, or any expansion.
- IP - according to the IP address of the workload. If selected, enter a CIDR address or range, and, optionally, a port.
- Pod - according to the pod. If selected, then select the pod by Name, Label, or select any pod. Optionally select these attributes of the workload:
- Vulnerability Level - select the maximum vulnerability level found in the image, when it was scanned
- Complies to API policy profile - select workloads that are compliant with selected API Policies
- Runtime Environment - select the Panoptica environment on which the workloads are running
- External - select workloads that are external sources
- Click NEXT.
STEP 3 - Select Destination Workloads
Select the destination workloads. These are selected in the same way as the source workloads, in the preceding step.
In addition, you can select the destination workload by Kafka. If this is selected, then select the cluster and brokers (see L7 Options ).
STEP 4 - Layer 7 Protocols
Optionally add Layer 7 (L7) filtering to the rule, to select specific HTTP or HTTPS messages or brokered messages (such as Kafka). If you skip this step, no such filtering is done. See L7 Options.
Click FINISH. The new rule will be added to the list of Connection Rules in the Policies page.
Add an Encryption Rule
An encryption rule enforces encryption between the source and destination workloads, using the service-mesh layer of the cluster.
It is similar to a Connection rule (above), the the action the rule performs is to enforce encryption.
This rule also has three steps:
- STEPS 1 & 2 - select the source and destination workloads
- STEP 3 - enable or disable encryption for this connection.
- For STEP 1 and 2, complete the selections as per STEPS 2 & 3 in the Connection rule, above.
- For STEP 3, enable or disable encryption between the source and destination workloads affected by the rule (not applicable if Any is selected in STEP 2 for the Destination).
Modify the Connections Default Rule
- Navigate to the Policies page, and select CONNECTION RULES
- Click Edit default rule.
- Select the rule action:
- All communications between workloads are allowed unless specifically denied by a previous rule - this permits all connections between workloads, on all environments, if no other rule (allowing or restricting) applies to the workload
- No communication between workloads is permitted unless specifically allowed in a previous rule - this denies all connections between workloads on all environments, if no other rule applies to it.
- All communications between workloads running on the same environment are allowed unless specifically denied by a previous rule. Communication between apps running on different environments is denied unless specifically allowed by previous rule. - this allows connections between workloads on the same environment, and denies connections between workloads on different environments, if no other rule applies.
- Select Block to block connections that violate the rule.
- Click FINISH.
Updated 11 months ago