Skip to content

Policy Recipes: Networking

Task-oriented networking recipes you can copy/paste. These recipes configure VM and network capabilities and destination-based proxy routing.

What You'll Learn

  • How to force egress traffic through proxies while exempting private networks
  • How to author outbound allowlists using destination and port criteria
  • How to override global proxy routing for specific applications

Networking Recipes

These recipes configure configuration.network.capabilities, proxies, and proxyRouting.

Force All Egress via Proxy Except RFC1918 (Direct); Deny by Default

Force all non-private TCP egress through a proxy. Private RFC1918 ranges go direct. Any unmatched egress is denied.

json
{
  "configuration": {
    "network": {
      "capabilities": {
        "outboundAllowed": true,
        "inboundAllowed": false,
        "dnsAllowed": true,
        "protocols": ["tcp","udp"],
        "egressDefaultAction": "deny"
      },
      "proxies": [
        { "id": "corp-proxy", "type": "https", "url": "https://proxy.corp.local:8443", "tls": { "verify": true } }
      ],
      "proxyRouting": [
        {
          "id": "rfc1918-direct",
          "enabled": true,
          "priority": 900,
          "match": { "cidrs": ["10.0.0.0/8","172.16.0.0/12","192.168.0.0/16"] },
          "action": { "type": "direct" }
        },
        {
          "id": "internet-via-proxy",
          "enabled": true,
          "priority": 800,
          "match": { "hosts": [ { "pattern": "*", "patternType": "glob" } ], "protocol": "tcp" },
          "action": { "type": "proxy", "proxyRef": "corp-proxy", "failover": "deny" }
        }
      ]
    }
  }
}

Validate:

  • Connections to RFC1918 address space (for example, 10.x.x.x, 172.16.x.x, 192.168.x.x) are direct.
  • Other TCP egress attempts are proxied via corp-proxy.
  • If the proxy is unavailable, unmatched traffic is denied due to egressDefaultAction: "deny" and failover: "deny".

Block Outbound Except Allowlist of Domains/Ports (Direct)

Deny all outbound traffic except for a specific set of host and port combinations.

json
{
  "configuration": {
    "network": {
      "capabilities": {
        "outboundAllowed": true,
        "dnsAllowed": true,
        "egressDefaultAction": "deny"
      },
      "proxyRouting": [
        {
          "id": "allow-api-and-ntp",
          "enabled": true,
          "priority": 950,
          "match": {
            "hosts": [
              { "pattern": "api.example.com", "patternType": "exact" },
              { "pattern": "time.windows.com", "patternType": "exact" }
            ],
            "ports": ["443","123"],
            "protocol": "tcp"
          },
          "action": { "type": "direct" }
        }
      ]
    }
  }
}

Validate:

  • Connections to api.example.com:443 and time.windows.com:123 succeed.
  • Other egress traffic is denied due to egressDefaultAction: "deny".

Per-App Proxy Bypass for a CDN Range

Override global proxy routing for a specific app by routing a CDN CIDR range direct.

json
{
  "apps": [
    {
      "id": "sensitive-editor",
      "displayName": "Sensitive Editor",
      "enabled": true,
      "priority": 300,
      "matchAll": [
        { "type": "targetPath", "pattern": "**\\\\SensitiveEditor.exe", "patternType": "glob" }
      ],
      "action": "allow",
      "modifications": {
        "network": {
          "proxyRouting": [
            {
              "id": "cdn-direct",
              "enabled": true,
              "priority": 960,
              "match": { "cidrs": ["203.0.113.0/24"], "ports": ["443"], "protocol": "tcp" },
              "action": { "type": "direct" }
            }
          ]
        }
      }
    }
  ]
}

Validate:

  • For this app only, connections to 203.0.113.0/24 on port 443 go direct, bypassing any global proxy.
  • Other destinations for this app follow the global routing rules defined under configuration.network.proxyRouting.

See also: