Appearance
Policy Recipes: Networking
Task-oriented networking recipes you can copy/paste. These recipes configure VM and network capabilities and destination-based proxy routing.
What You'll Learn
- How to force egress traffic through proxies while exempting private networks
- How to author outbound allowlists using destination and port criteria
- How to override global proxy routing for specific applications
Networking Recipes
These recipes configure configuration.network.capabilities, proxies, and proxyRouting.
Force All Egress via Proxy Except RFC1918 (Direct); Deny by Default
Force all non-private TCP egress through a proxy. Private RFC1918 ranges go direct. Any unmatched egress is denied.
json
{
"configuration": {
"network": {
"capabilities": {
"outboundAllowed": true,
"inboundAllowed": false,
"dnsAllowed": true,
"protocols": ["tcp","udp"],
"egressDefaultAction": "deny"
},
"proxies": [
{ "id": "corp-proxy", "type": "https", "url": "https://proxy.corp.local:8443", "tls": { "verify": true } }
],
"proxyRouting": [
{
"id": "rfc1918-direct",
"enabled": true,
"priority": 900,
"match": { "cidrs": ["10.0.0.0/8","172.16.0.0/12","192.168.0.0/16"] },
"action": { "type": "direct" }
},
{
"id": "internet-via-proxy",
"enabled": true,
"priority": 800,
"match": { "hosts": [ { "pattern": "*", "patternType": "glob" } ], "protocol": "tcp" },
"action": { "type": "proxy", "proxyRef": "corp-proxy", "failover": "deny" }
}
]
}
}
}Validate:
- Connections to RFC1918 address space (for example,
10.x.x.x,172.16.x.x,192.168.x.x) are direct. - Other TCP egress attempts are proxied via
corp-proxy. - If the proxy is unavailable, unmatched traffic is denied due to
egressDefaultAction: "deny"andfailover: "deny".
Block Outbound Except Allowlist of Domains/Ports (Direct)
Deny all outbound traffic except for a specific set of host and port combinations.
json
{
"configuration": {
"network": {
"capabilities": {
"outboundAllowed": true,
"dnsAllowed": true,
"egressDefaultAction": "deny"
},
"proxyRouting": [
{
"id": "allow-api-and-ntp",
"enabled": true,
"priority": 950,
"match": {
"hosts": [
{ "pattern": "api.example.com", "patternType": "exact" },
{ "pattern": "time.windows.com", "patternType": "exact" }
],
"ports": ["443","123"],
"protocol": "tcp"
},
"action": { "type": "direct" }
}
]
}
}
}Validate:
- Connections to
api.example.com:443andtime.windows.com:123succeed. - Other egress traffic is denied due to
egressDefaultAction: "deny".
Per-App Proxy Bypass for a CDN Range
Override global proxy routing for a specific app by routing a CDN CIDR range direct.
json
{
"apps": [
{
"id": "sensitive-editor",
"displayName": "Sensitive Editor",
"enabled": true,
"priority": 300,
"matchAll": [
{ "type": "targetPath", "pattern": "**\\\\SensitiveEditor.exe", "patternType": "glob" }
],
"action": "allow",
"modifications": {
"network": {
"proxyRouting": [
{
"id": "cdn-direct",
"enabled": true,
"priority": 960,
"match": { "cidrs": ["203.0.113.0/24"], "ports": ["443"], "protocol": "tcp" },
"action": { "type": "direct" }
}
]
}
}
}
]
}Validate:
- For this app only, connections to
203.0.113.0/24on port443go direct, bypassing any global proxy. - Other destinations for this app follow the global routing rules defined under
configuration.network.proxyRouting.
Related Topics
See also:
