Skip to main content

Overview

Policies in the Distributed Cloud Firewall (DCF) define the security rules that control traffic flow across your cloud network. They determine which traffic is allowed, denied, or logged based on source, destination, protocol, and other criteria.

Policy Components

DCF policies consist of several key components:

Rules

Rules are the building blocks of policies. Each rule specifies:
  • Source: The origin of the traffic (SmartGroups, IP addresses, or CIDR ranges)
  • Destination: The target of the traffic (SmartGroups, IP addresses, or CIDR ranges)
  • Protocol/Port: The network protocol and port numbers
  • Action: Allow, Deny, or Allow with logging
  • Priority: Determines the order of rule evaluation

SmartGroups

SmartGroups provide dynamic grouping of resources based on tags, metadata, or other attributes. They simplify policy management by automatically including resources that match defined criteria. For more information on SmartGroups, see the DCF Overview.

Policy Types

Intra-VPC/VNet Policies

Control traffic between resources within the same VPC or VNet. These policies enable micro-segmentation within a single cloud network.

Inter-VPC/VNet Policies

Govern traffic flowing between different VPCs or VNets. These policies are essential for controlling east-west traffic in multi-cloud environments.

Egress Policies

Manage outbound traffic from your cloud environment to the internet or external destinations.

Ingress Policies

Control inbound traffic from external sources into your cloud environment.

Policy Evaluation

DCF evaluates policies in the following order:
  1. Explicit Deny: Traffic matching an explicit deny rule is immediately blocked
  2. Explicit Allow: Traffic matching an explicit allow rule is permitted
  3. Default Action: Traffic not matching any rule follows the default policy action

Best Practices

Policy Design

  • Start with a deny-all default policy and explicitly allow required traffic
  • Use SmartGroups to create dynamic, maintainable policies
  • Implement the principle of least privilege
  • Document policy purposes and ownership

Policy Management

  • Regularly review and audit policies
  • Test policy changes in a staging environment before production deployment
  • Use version control for policy configurations
  • Monitor policy hit counts to identify unused rules

Performance Considerations

  • Order rules by frequency of match (most common first) when possible
  • Consolidate overlapping rules where appropriate
  • Limit the use of overly broad rules that match excessive traffic