Hi,
How to restrict outbound connections from a task. I have 4 generic profiles that I would like to apply. A task’s outbound connection policy could be defined as:
- exclusive list of upstream defined mesh services
- forbidden, so inbound mesh only
- exclusively to public network
- exclusively to curated list of domains
The last one (4) can be implemented by 1 + terminate gateway or other proxy, I think.
I’m running services through nomad in consul connect mesh. So I thought there could be some useful envoy config.
I’m trying to keep all the code in nomad files to avoid dichotomy in service definitions, but maybe I can use something like meshDestinationsOnly in consul, although it looks like a global config and I can not restrict all my tasks.
Alternative is to restrict the network through iptables like here, but it looks very fragile and increasing cap on a container level feels like exchanging one problem by another.
Thank you!