Skip to content

cloud-gov/space-egress-examples

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

22 Commits

.github

.github

 
 

app

app

 
 

docker

docker

 
 

proxy

proxy

 
 

s3

s3

 
 

.gitignore

.gitignore

 
 

CONTRIBUTING.md

CONTRIBUTING.md

 
 

LICENSE.md

LICENSE.md

 
 

README.md

README.md

 
 

SECURITY.md

SECURITY.md

 
 

egress-app-example.jpg

egress-app-example.jpg

 
 

Repository files navigation

space-egress-examples

Why this project

This repository is used to provide examples for how to leverage the different space egress types on cloud.gov.

Note - another egress proxy example can be found here.

Example overview

This example demonstrates one way of leveraging the space egress types on cloud.gov to more securely run an application that needs to respond to requests, and access resources at specific location on the open web or artifacts in an S3 bucket.

Egress application example

  • The application (in this case a simple Node.js application) runs in a restricted egress space.
  • A Docker image running squid proxy runs in a public egress space, on an internal route.
  • The squid proxy is configured to only allow access to specific domains via an access control list (ACL) directive.
  • A network policy is created to allow the Node.js application to connect to the squid proxy. Because the proxy is running on an internal route, we can ensure that only the Node.js application can access it.

Deploying this demo

  1. Configure squid & build Docker image
  2. Push Docker image to repo.
  3. Deploy proxy app in public egress space on internal route.
  4. Deploy demo app to restricted / closed egress space.
  5. Set up network policy to allow demo app to route traffic through proxy.

Pros & cons to this approach

  • Using a proxy on an internal route allows for granular control over which applications may access it using network policies.
  • Using an internal route allows Docker image to use non-standard port (by default squid runs on port 3128).
  • Additional steps required to make changes when needed and repush Docker image, and redeploy app.
  • Potentially some additional compliance burden from using Docker image over buildpack.

Contributing

See CONTRIBUTING for additional information.

Public domain

This project is in the worldwide public domain. As stated in CONTRIBUTING:

This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.

All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.

About

Examples for using cloud.gov space egress rules

Resources

Readme

License

View license

Security policy

Security policy
Activity
Custom properties

Stars

0 stars

Watchers

6 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 5

Languages