Configuration Reference
With DiscrimiNAT, the Security Groups attached to the applications that need filtered access to the Internet can be annotated with a set of allowed FQDNs. This allows creating least privilege egress policies from the protected workload to the Internet.
No need to create VPC-wide allowlists that allow discrete applications within access to what they needn't.
DiscrimiNAT's own Security Groups need not be altered.
On this page, we cover the syntax for the Cloud-native Security Groups' description fields, where the annotations live.
See-Thru mode​
The see-thru
mode is a non-blocking configuration that allows one to build an appropriate allowlist up to a specified date. The annotation is added to the description fields of outbound rules of the protected applications to-be.
Syntax​
discriminat:see-thru:YYYY-mm-dd
The rule will automatically stop working after the YYYY-mm-dd
date.
Examples​
discriminat:see-thru:2024-12-31
discriminat:see-thru:2024-09-09
Such a rule must:
allow all protocolsall portshave a destination of0.0.0.0/0
- These are no longer a requirement from v2.6.0 of DiscrimiNAT.
Configuring this mode in the AWS web console would look like this:
In Terraform, it would be along the lines of:
resource "aws_security_group" "some-app" {
name = "monitor-some-app"
vpc_id = var.vpc_id
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
description = "discriminat:see-thru:2024-12-31"
}
}
Logs​
The flow logs stream under the DiscrimiNAT log group in CloudWatch will have three additional fields for traffic from any workload that has a Security Group attached with a see-thru
rule in it:
see_thru_exerted
: true when notls
orssh
protocol rules allowed this connection through and it's only because of thesee-thru
rule that the connection has been let through. false when atls
orssh
protocol rule would otherwise allow this connection through. The rest of the fields in the log line remain as they would without thesee-thru
rule, hence indicating whichtls
orssh
protocol rule matched to let this connection through.see_thru_gid
: The Security Group ID where the enactedsee-thru
was found.see_thru_days_remaining
: The number of remaining days this rule will continue to work. Runs into negative if the current date goes past the specified date. These log fields are still emitted if asee-thru
rule with any date, past or future, remains specified.
TLS and SSH mode​
The tls
and ssh
modes are a blocking configuration that will only allow FQDNs set out in the allowlist. Destination protocols, FQDNs and IP Addresses are added to the description fields of outbound rules of the protected applications.
If transitioning from a see-thru
rule, note that tls
and ssh
rules require a specific port number to be specified in the Security Group rules.
Syntax​
discriminat:<protocol>:<fqdn>[,<fqdn>,<ipv4>]
- Valid protocols are
ssh
andtls
only. - There can be as many FQDNs and IP Addresses as you can fit separated by commas. There cannot be whitespace, though.
- Multiple Security Groups can be created to accommodate more addresses, or group them by some criteria.
- Alternatively, multiple outbound Rules within the same Security Group can be created with destination CIDRs varying like
0.0.0.0/0
,0.0.0.0/1
,0.0.0.0/2
and so on.
- There can be other text leading and trailing this specification, separated by whitespace.
- All of it is case insensitive.
You can attach multiple Security Groups to EC2 instances. It's a great way to bunch together related FQDNs.
Examples​
DiscrimiNAT:TLS:api.foo.example.com,downloads.example.net,203.0.113.9
DiscrimiNAT:SSH:sftp.txs.example.org,ssh.github.com
discriminat:tls:api-v_.example.com discriminat:tls:www.example.org
lorem ipsum discriminat:ssh:ssh.github.com,gitlab.com,203.0.113.9 dolor sit amet
Wildcards are supported from v2.8 onwards and their use is explained in detail in our blog post Wildcards and System 2 Thinking.
Configuring this mode in the AWS web console would look like this:
- Under
Type
, choose any TCP protocol type and specify exactly one port number inPort range
. To use another port for an alternative set of addresses, simply create another Security Group Rule with that port number. See the Connecting to MS/Azure SQL Server over TLS guide for an example. - For your typical HTTPS outbound connection, the port number would be
443
. - A typical SFTP connection has the port number of
22
. Destination
must be set to the narrowest IP block you can think of. Now if you don't have anything narrower than0.0.0.0/0
that is absolutely fine! The firewall takes care of validating the destination IP address of actual packets in many ways, but the outbound rule at the AWS networking and security level must allow the packet to leave the protected workload at all. We repeat,0.0.0.0/0
is a safe choice with the DiscrimiNAT Firewall in the way.- Should you wish to use the same port number again with a different rule, set to the destination to
0.0.0.0/1
or0.0.0.0/2
or0.0.0.0/3
and so on. - Multiple such Rules can be added to one Security Group and all of them will be recognised.
You can attach multiple Security Groups to EC2 instances. It's a great way to bunch together related FQDNs.
In Terraform, this would be along the lines of:
resource "aws_security_group" "acme" {
name = "acme-reports-upload"
vpc_id = var.vpc_id
egress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
description = "discriminat:tls:api.acme.com,auth.acme.com,203.0.113.9,foo.example.com,bar.example.net"
}
}
Complete Bypass​
If you would like to discuss alternate protocols or know how to completely bypass DiscrimiNAT whilst still routing traffic, get in touch with our DevSecOps Support to discuss the best option for your use case.