← All examples
NetworkEgressPolicy
examples/NetworkEgressPolicy.intent
NetworkEgressPolicy.intent
1# NetworkEgressPolicy.intent2# Domain: infrastructure policy. Which outbound connections a workload may open,3# expressed as intent rather than buried in firewall rules. Deny by default; never4# allow unencrypted egress to the public internet. The policy runs as a decision.56mission NetworkEgressPolicy7use product89title "Decide whether a workload may open an outbound connection"10for PlatformSecurity1112goal13 Allow only egress that is to an approved destination and encrypted in transit,14 and deny everything else.1516why17 Unrestricted egress is how data exfiltrates and how compromised workloads phone18 home. The safe default is to deny and to require a reason to allow.1920requires21 DestinationCatalog22 EncryptionStandard2324input25 destinationApproved: Flag26 encrypted: Flag27 destinationIsPublic: Flag2829output30 decision: EgressDecision3132guarantee approved, encrypted egress is allowed33 because blocking sanctioned traffic breaks the workloads the policy protects34 verify allowlist egress test3536guarantee unapproved destinations are denied by default37 because an implicit allow is an open door nobody chose to open38 verify deny by default test3940never41 allow unencrypted egress to the public internet42 allow egress to a destination not in the catalog4344never allow unencrypted egress to the public internet45 because plaintext over the open internet exposes data to anyone on the path46 verify encryption in transit test4748never allow egress to a destination not in the catalog49 because an uncatalogued endpoint has no owner and no justification on record50 verify allowlist egress test5152# Deny-by-default egress policy as a decision. `intent run` / `intent test`.53decision AllowEgress54 inputs55 destinationApproved56 encrypted57 destinationIsPublic58 rule publicPlaintext59 when destinationIsPublic == true and encrypted == false60 return Deny61 rule unapproved62 when destinationApproved == false63 return Deny64 rule approvedEncrypted65 when destinationApproved == true and encrypted == true66 return Allow67 default68 return Deny6970target71 Tests7273test AllowEgress74 case approved encrypted egress is allowed75 given destinationApproved true, encrypted true, destinationIsPublic false76 expect Allow77 case unapproved destination is denied78 given destinationApproved false, encrypted true, destinationIsPublic false79 expect Deny80 case unencrypted public egress is denied81 given destinationApproved true, encrypted false, destinationIsPublic true82 expect Deny83 case approved but unencrypted falls through to deny84 given destinationApproved true, encrypted false, destinationIsPublic false85 expect DenyDraft syntax. This file is illustrative and does not run yet.
More examples
AlertRoutingApiGatewayBillingServiceCalculateRiskScoreCertificationAttemptCertificationCheckoutCertificationEligibilityCertificationStudyPlanCreateInvoiceCreateStudyPlanCustomerDataRequestDuplicateInvoicePreventionGroundedAnswerIngestClickstreamInvoiceCreatedPlaceOrderResearchAgentRunResetPasswordStorefrontStyleSubscriptionUpgradeTenantIsolationUploadStudyMaterial