Restrict outbound connections from a task


How to restrict outbound connections from a task. I have 4 generic profiles that I would like to apply. A task’s outbound connection policy could be defined as:

  1. exclusive list of upstream defined mesh services
  2. forbidden, so inbound mesh only
  3. exclusively to public network
  4. exclusively to curated list of domains

The last one (4) can be implemented by 1 + terminate gateway or other proxy, I think.

I’m running services through nomad in consul connect mesh. So I thought there could be some useful envoy config.

I’m trying to keep all the code in nomad files to avoid dichotomy in service definitions, but maybe I can use something like meshDestinationsOnly in consul, although it looks like a global config and I can not restrict all my tasks.

Alternative is to restrict the network through iptables like here, but it looks very fragile and increasing cap on a container level feels like exchanging one problem by another.

Thank you!

1 Like

It seems that meshDestinationOnly is not a solution, as nomad does not support transparent proxies from consul.