Skip to main content

Configuring Egress Rules

This guide explains how to configure outbound network access rules for your project, allowing applications to connect to specific external services.

By default, Infrastream projects operate within a zero-trust network perimeter — applications cannot connect to external services unless explicitly allowed. This guide shows you how to use the allowedEgress field in your Project manifest to whitelist specific external destinations.

Prerequisites

  • You must have an existing Project manifest.
  • You need the exact hostnames or IP ranges of the external services your applications need to reach.

Step 1: Add Egress Rules to Your Project Manifest

Locate your Project manifest and add the allowedEgress list to the spec block:

apiVersion: lowops.manifests.v1
kind: Project
metadata:
  name: payment-gateway
  environment: production
  organizational-unit: retail-banking
  organization: fincorp
spec:
  description: "Payment processing services with external partner integrations"
  region: us-central1

  allowedEgress:
    - "api.stripe.com"             # Payment processor API
    - "hooks.slack.com"            # Notification webhooks
    - "smtp.sendgrid.net"          # Email service
    - "*.googleapis.com"           # Google Cloud APIs (if not already allowed)

Key fields:

  • allowedEgress — A list of external hostnames or IP ranges that applications within the project are allowed to connect to. This generates firewall rules in the Shared VPC to permit outbound traffic to these destinations.

Step 2: Understanding the Security Model

Infrastream's egress control works at the project level, applying equally to all applications within the project. This follows the principle of least privilege:

Important: Egress rules are additive — you cannot use them to block traffic that is allowed by default (e.g., intra-VPC communication). They only control traffic to external destinations outside the Shared VPC.

Step 3: Commit, Review, and Merge

Commit the updated Project manifest in a pull request.

After merge, the platform will:

  1. Update the VPC firewall rules to allow outbound traffic to the specified destinations.
  2. Applications can immediately begin connecting to the whitelisted services — no restart required.

Tip: If your application receives a connection timeout when calling an external API, the most common fix is adding the API's hostname to the allowedEgress list. The AI assistant can help diagnose this by checking the current egress configuration.