Module 5: Network Egress Firewall

Security is important to every customer. The least privilege principle is a common security practice that limits an application’s access to only those resources it needs to operate. For example, if we know an application does not need access to the internet, we should create a policy to block that application’s access to the internet.

In the real world, customers will solve this challenge with outbound proxies/VLANs/firewalls, but those solutions can be expensive and complex to implement. Now we will show OpenShift Virtualization allows us to add an additional layer of security with just a few button clicks.

In this module, you will test blocking egress access from a Windows VM to the Internet with the built-in, cloud native features of OpenShift.

Access the Internet through a Windows VM console

  1. Click VirtualMachines, click winweb01 then click the Console tab. You are already logged into the windows VM’s administrative interface.

    Windows VM console

  2. Type 15 and hit Enter to start Powershell

    Powershell Activation

  3. Copy the following command and paste in the VM console with the special paste button. Click into the VM console and hit Enter. Notice that the connection succeeds with StatusCode: 200

    curl google.com -UseBasicParsing -TimeoutSec 1 | findstr StatusCode"
    Powershell cURL success

Implement a Network Policy to Block Egress

  1. On the left side, click Networking → NetworkPolicies → Create NetworkPolicy.

    Create NetworkPolicy

  2. Select the YAML View radio button.

    NetworkPolicy Complete

  3. Replace the sample YAML with the following NetworkPolicy.

    kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
 name: noegress
 namespace: windowsnetworking-sample_username
spec:
 podSelector:
   matchLabels:
     app: winnetworking
 policyTypes:
   - Egress

  4. Click Create when your console looks as follows.

Validate that Internet Access is Blocked from the Windows VM

  1. Go back to the Powershell and test the network connection to the Internet. Click Virtualization → VirtualMachines → winweb01 → Console Click into the console and repeat the Internet access test. To run the same command again, press the Up Arrow and hit Enter

    Powershell cURL failure

Next Steps

Congratulations! You have seen how easy it is to leverage cloud native resouces to implement a Network Egress Firewall.

In the next module, you will configure advanced traffic management.