Skip to main content

Set Network Policies (Beta)

This topic describes how to change the network policy of a virtual machine (VM) or a VM-based cluster with Replicated Compatibility Matrix.

About Network Policies

VMs and VM-based clusters created with Compatibility Matrix can use one of the following network policies:

Network PolicyDescription
openNo restrictions on network traffic.
airgapRestrict all network traffic.

By default, all VMs and clusters are created with an open network policy. You can change the network policy to airgap to create an air-gapped environment with no outbound internet access.

The airgap network policy is particularly useful for testing air gap installations for your application. For information about installing with Embedded Cluster in an air-gapped environment, see Air Gap Installation with Embedded Cluster. For information about installing with the Helm CLI in an air-gapped environment, see Install and Update with Helm in Air Gap Environments.

Requirements

  • Replicated CLI 0.109.0 or later
  • The user must have the Admin or Developer role. Read Only users cannot change network settings.

Limitations

  • Network policies are a beta feature. For feedback on this feature, including requests for additional types of network policies, contact Replicated support.
  • Setting network policies is only supported through the Replicated CLI. You cannot make changes to the network policy through the Compatibility Matrix UI in the Vendor Portal.
  • Network policies are supported only for VMs and VM-based clusters (K3s, RKE2, Embedded Cluster, kURL, Kind, OpenShift). Network policies are not supported for cloud-based clusters (EKS, GKE, AKE, OKE).

Set the Network Policy to airgap

For VM-Based Clusters

To set the network policy of a VM-based cluster:

  1. Create a cluster:

    replicated cluster create --distribution VM_BASED_DISTRIBUTION

    Where VM_BASED_DISTRIBUTION is the target VM-based cluster distribution. For a list of supported distributions, see VM Clusters.

  2. Watch until the cluster status is running:

    replicated cluster ls --watch

  3. (Optional) Verify the initial outbound network connectivity for the cluster:

    1. Access the cluster in a shell:

      replicated cluster shell CLUSTER_ID

      Where CLUSTER_ID is the ID of the cluster that you created from the output of the cluster ls command.

    2. In the cluster, install a networking testing tool. For example, netshoot.

      Example:

      kubectl run tmp-shell --rm -i --tty --image nicolaka/netshoot

    3. Curl an endpoint to confirm a successful response. For example, curl www.google.com.

  4. Open a new shell to access the cluster:

    replicated cluster shell CLUSTER_ID

    Where CLUSTER_ID is the ID of the cluster that you created from the output of the cluster ls command.

  5. Change the network policy to airgap:

    replicated network update NETWORK_ID --policy airgap

    Where NETWORK_ID is the ID of the network from the output of the cluster ls command.

  6. Verify that the cluster's policy is airgap and the status is running:

    replicated cluster ls
    ID       NAME                STATUS       CREATED                 EXPIRES                POLICY   REPORTING
    bdeb3515 gifted_antonelli    running      2025-01-28 18:45 PST    2025-01-28 19:45 PST   airgap   off

    The air gap network is enabled when the status is running.

  7. (Optional) Use a networking testing tool such as netshoot to curl an endpoint and verify that there is no outbound connectivity from the cluster.

    If the air gap was successful, a request to curl an endpoint will time out. For example:

    curl: (28) Failed to connect to www.google.com port 80 after 129976 ms: Couldn't connect to server

  8. (Optional) Test an air gap installation of your application in the cluster. See Install and Update with Helm in Air Gap Environments.

For VMs

To set the network policy of a VM-based cluster:

  1. Create a VM:

    replicated vm create --distribution ubuntu

  2. Wait until the VM status is running:

    replicated vm ls

  3. SSH onto the VM:

    ssh [email protected]

    Where VM_ID is the ID of the VM from the output of the vm ls command.

    For more information and additional options, see Connect to a VM.

  4. (Optional) Curl an endpoint to verify the network connectivity of the VM. For example, curl www.google.com.

  5. Set the network policy to airgap:

    replicated network update NETWORK_ID --policy airgap

    Where NETWORK_ID is the ID of the network from the output of the vm ls command.

    Example:

    replicated network update 85eb50a8 --policy airgap
    note

    It can take a few seconds for the setting to apply.

    ID       NAME                STATUS        CREATED                 EXPIRES                POLICY   REPORTING
    85eb50a8 silly_rosalind      updating      2025-01-28 16:16 PST    2025-01-28 17:18 PST   airgap   off

  6. (Optional) Curl an endpoint to verify that there is no outbound connectivity from the VM. For example, curl www.google.com.

    If the air gap was successful, a request to curl an endpoint will time out. For example:

    curl: (28) Failed to connect to www.google.com port 80 after 129976 ms: Couldn't connect to server

  7. (Optional) Test an air gap installation of your application on the VM. See Air Gap Installation with Embedded Cluster.