Network Policies

Control inbound and outbound traffic for your deployment containers using firewall rules.

Overview

Network policies let you define fine-grained firewall rules that filter traffic to and from your containers. You can allow or deny traffic based on protocol, port, IP range, and direction. This is useful for hardening production deployments, restricting access to internal services, or blocking known bad actors.

Policy Structure

Each policy consists of the following fields:

Field	Type	Description
`direction`	`inbound` or `outbound`	Whether the rule applies to incoming or outgoing traffic
`action`	`allow` or `deny`	Whether to permit or block matching traffic
`protocol`	`tcp`, `udp`, or `icmp`	Network protocol to match
`cidr`	string	IP range in CIDR notation (e.g. `0.0.0.0/0` for all)
`port`	number	Port number to match (ignored for ICMP)
`priority`	number	Lower numbers are evaluated first (1-1000)

Default Behavior

If no policies are configured, all inbound and outbound traffic is allowed. As soon as you add your first policy, only traffic matching an allow rule will be permitted -- everything else is denied by default.

Don't Lock Yourself Out

When adding deny-all rules, always create an explicit allow rule for SSH/shell access first. Otherwise you won't be able to reach your container through the dashboard shell.

Creating Policies from the Dashboard

Open Your Deployment

Navigate to the deployment detail page from the Deployments list.

Go to the Policies Tab

Click the Policies tab to view existing rules and add new ones.

Add a Policy

Click Add Policy, fill in the direction, action, protocol, CIDR range, port, and priority, then save.

Verify

Policies take effect within seconds. Test connectivity to confirm the rules work as expected.

Example Policies

Allow Only HTTPS Traffic

Restrict inbound access to port 443 only:

# Allow HTTPS
direction: inbound
action: allow
protocol: tcp
cidr: 0.0.0.0/0
port: 443
priority: 10

# Deny everything else inbound
direction: inbound
action: deny
protocol: tcp
cidr: 0.0.0.0/0
port: 0
priority: 100

Block a Specific IP Range

Deny traffic from a known bad network while allowing everything else:

# Block specific range
direction: inbound
action: deny
protocol: tcp
cidr: 203.0.113.0/24
port: 0
priority: 10

# Allow all other inbound
direction: inbound
action: allow
protocol: tcp
cidr: 0.0.0.0/0
port: 0
priority: 100

Restrict Outbound to Specific Services

Only allow your container to reach a specific database server:

# Allow outbound to database
direction: outbound
action: allow
protocol: tcp
cidr: 10.0.1.50/32
port: 5432
priority: 10

# Allow outbound DNS
direction: outbound
action: allow
protocol: udp
cidr: 0.0.0.0/0
port: 53
priority: 20

# Deny all other outbound
direction: outbound
action: deny
protocol: tcp
cidr: 0.0.0.0/0
port: 0
priority: 100

API Reference

Create a policy via the API:

curl -X POST \
  -H "Authorization: Bearer TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "direction": "inbound",
    "action": "allow",
    "protocol": "tcp",
    "cidr": "0.0.0.0/0",
    "port": 443,
    "priority": 10
  }' \
  https://app.kovanetwork.com/api/v1/deployments/:id/policies

Policies are evaluated in priority order (lowest number first). Once a matching rule is found, evaluation stops. Use this to create specific exceptions before broader rules.