AWS announces AWS Interconnect – multicloud (preview), providing simple, resilient, high-speed private connections to other cloud service providers. AWS Interconnect - multicloud is easy to configure and provides high-speed, resilient connectivity with dedicated bandwidth, enabling customers to interconnect AWS networking services such as AWS Transit Gateway, AWS Cloud WAN, and Amazon VPC to other cloud service providers with ease.
Block and allow specific URLs from EKS namespace
I have a network-related question on EKS: L3-4 network access control can be done for namespaces using Network policy. How is this done for L7 traffic. For eg: You have app with 2 namespaces prod and dev. From prod you should only be able to access the url example.com and from dev you should only be able to access dev-example.com . How do you do this? IP of these URLs can keep changing
- Language
- English
- Newest
- Most votes
- Most comments
To control L7 traffic (application layer) in Amazon EKS, including blocking and allowing specific URLs from different namespaces, you'll need to use a service mesh or an ingress controller that supports L7 traffic management. Network policies alone are not sufficient for this level of control, as they operate at L3-L4 (IP and port level).
For your specific use case of controlling access to different URLs from prod and dev namespaces, you can implement this using a service mesh like Istio or AWS App Mesh. These tools provide more granular control over traffic at the application layer.
Here's a general approach to achieve this:
-
Deploy a service mesh (e.g., Istio) in your EKS cluster.
-
Configure the service mesh to intercept all outbound traffic from your pods.
-
Create custom resources (e.g., VirtualService and DestinationRule in Istio) to define traffic routing rules based on the source namespace and destination URL.
-
For the prod namespace, create a rule that allows traffic only to example.com and denies all other external traffic.
-
For the dev namespace, create a similar rule allowing traffic only to dev-example.com.
-
Implement a default deny rule for all other traffic.
This approach allows you to control access based on URLs rather than IP addresses, which is beneficial when the IP addresses of the target services may change. The service mesh will handle the DNS resolution and routing based on the hostnames you specify in your rules.
Keep in mind that implementing a service mesh adds complexity to your cluster and may require additional resources. However, it provides powerful capabilities for fine-grained traffic control, including the ability to manage L7 traffic based on URLs, headers, and other application-level attributes.
Remember to thoroughly test your configuration in a non-production environment before applying it to your production workloads, as misconfiguration could potentially disrupt your application's connectivity.
Sources
Network security - Amazon EKS
Relevant content
- asked 2 years ago
- asked 3 years ago
- AWS OFFICIALUpdated 2 years ago
