Restricting outbound traffic from cluster nodes

To control outbound traffic from your cluster nodes, you can configure outbound firewall rules for public networks by using the vinfra tool. By default, ports used by system services are opened, to ensure non-disruptive cluster operation. Additionally, outbound traffic is always allowed in the subnet dedicated to internal communication between cluster nodes. As a private network is not publicly exposed and does not communicate with any external endpoints, you do not need to restrict outbound traffic for it. A network is recognized as private if it is assigned any of these traffic types:

  • OSTOR private
  • Backup (ABGW) private
  • Internal management
  • Storage

A private network always has the rule <private_subnet_cidr>:any:0, which allows all outbound traffic in the current subnet. This rule is not visible via the vinfra commands and exists only in iptables.

To block all outbound traffic except that which is necessary for cluster operation, perform the following steps:

  1. Create additional firewall rules, to allow outbound traffic for particular services.
  2. Remove the rule that allows all outbound traffic.
  3. Check your network settings.