Airlock as a Service Knowledge Base
API Reference Service Status Airlock Console
airlock.com

Configure Egress Traffic Policy

By default, all egress traffic from tenant IAMs is restricted.

EgressTrafficPolicy allows to explicitly define which external destinations can be reached by the tenant IAMs components.

Configuration Options

Using SaaS API reference

https://docs.airlock.com/saas-public-api/#tag/tenantconfig

Using saas.yaml

End of life: The saas.yaml is deprecated and will not be supported in a future Airlock SaaS version.
The following settings can be configured through the SaaS API reference using an Oauth 2.0 client.

Notice
A saas.yaml file can include at most one EgressTrafficPolicy.

Basic structure

apiVersion: iam.airlock.com/v1
kind: EgressTrafficPolicy
spec:
  adminapp:
    destinations:
      - host: example.com
        port: 443
        protocol: TCP
        appProtocol: HTTPS
  loginapp:
    destinations:
      - host: api.service.com
        port: 80
        protocol: TCP
        appProtocol: HTTP

Modules

The policy can be configured for three different application modules, corresponding to the IAM modules:

adminapp

loginapp

serviceContainer

Each module is optional and can be omitted if no egress traffic is required.

Destinations

Destinations is a list of egress destinations. A destination consists of the following fields:

port

integer, 1-65535

required

Target port number

protocol

string

required

Network protocol - must be either TCP or UDP

host

string

required, mutually exclusive with ip

DNS hostname (e.g., api.example.com)

ip

string

required, mutually exclusive with host

IPv4 address

appProtocol

string

optional

Application-level protocol for TCP connections. Supported values: HTTP, HTTPS, GRPC, HTTP2, MONGO, TLS, TCP (default). Only applicable when protocol is TCP.

Restrictions

For protocol: UDP, only IP addresses are supported. In other words, specifying protocol: UDP in combination with a host is currently not supported.