In this document I’m going to experiment with intra app domain policies:
- intra policy deny
- intra policy allow
- custom intra policies
Aviatrix useg implementation is extremely flexible to allow any of the configurations above. Aviatrix useg is in Public Preview mode at this time (Aviatrix version 6.7b):
Public preview mode feature options, performance, and scalability may be limited compared to the final feature.
If you are not familiar with the feature, please visit my previous blog on useg to get started:
Test Deployment
I have a small environment with two spokes (spoke30 and spoke40) where I deployed two test VMs:
- spoke30-useg-vm1
- spoke40-useg-vm1
Each one has a tag with its own VM name.
App Domain:
The two VMs matches the logical OR condition and are correctly classified as belonging to the “appdomain-blue”:
Intra Policy Allow
VM1 and VM2 belong to the same app domain and require communication between each other (Ex.: clustering solutions):
The allow-all rule looks like:
Testing:
Intra Policy Deny
VM1 and VM2 belong to the same app domain and communication between each other must be blocked:
The deny-all rule looks like:
Testing:
Custom Intra Policy
VM1 and VM2 belong to the same app domain and communication between each other must be blocked for everything except a few ports:
The custom-icmp rule looks like:
Testing:
- ping works
- ssh does not work
