Traffic Policy
Traffic Policy is currently in preview. Breaking changes may occur at any time with no notice, including changes to the structure of policy documents, the behaviors of policies, and the pricing of this feature.
Overview
This module enables you to assign a policy to your endpoints by defining a set of rules for the on_tcp_connect
traffic management phase. These rules allow you to influence and control traffic to your upstream service.
Traffic Policy rules are composed of expressions that filter the traffic on which they are applicable and actions that should take effect.
Example Usage
- Agent CLI
- Agent Config
- SSH
- Go
- Javascript
- Python
- Rust
- Kubernetes Controller
ngrok tls 80 --traffic-policy-file /path/to/policy.yml
on_tcp_connect:
- name: "LimitToKnownIPs"
expressions:
- "conn.client_ip != '8.8.8.8'"
- "conn.client_ip != '9.9.9.9'"
actions:
- type: deny
tunnels:
example:
proto: tls
addr: 443
traffic_policy:
on_tcp_connect:
- name: EnforceTLS1.3
expressions:
- "conn.tls.version != '1.3'"
actions:
- type: deny
- name: "LogRequestsFromKnownIP"
expressions:
- "conn.client_ip == '110.0.0.1'"
actions:
- type: log
config:
metadata:
event: "known-ip"
data: "110.0.0.1"
Traffic Policy is not configurable via SSH
import (
"context"
"net"
"golang.ngrok.com/ngrok"
"golang.ngrok.com/ngrok/config"
)
func ngrokListener(ctx context.Context) (net.Listener, error) {
return ngrok.Listen(ctx,
config.TLSEndpoint(
config.WithTrafficPolicy(getPolicyFromFile()),
),
ngrok.WithAuthtokenFromEnv(),
)
}
func getPolicyFromFile() string {
b, _ := os.ReadFile("./policy.yaml")
return string(b)
}
Traffic Policies can be defined in json or yaml!
{
"on_tcp_connect": [
{
"name": "DenyTrafficOutsideUS",
"expressions": ["conn.geo.country_code != 'US'"],
"actions": [
{
"type": "deny"
}
]
},
{
"name": "LogRequestsFromKnownIP",
"expressions": ["conn.client_ip == '110.0.0.1"],
"actions": [
{
"type": "log",
"config": {
"metadata": {
"event": "known-ip",
"data": "110.0.0.1"
}
}
}
]
}
]
}
---
on_tcp_connect:
- name: DenyTrafficOutsideUS
expressions:
- conn.geo.country_code != 'US'
actions:
- type: deny
- name: LogRequestsFromKnownIP
expressions:
- conn.client_ip == '110.0.0.1
actions:
- type: log
config:
metadata:
event: known-ip
data: 110.0.0.1
Go Package Docs:
const ngrok = require("@ngrok/ngrok");
const fs = require("fs");
(async function () {
const listener = await ngrok.forward({
addr: 8080,
proto: "tls",
authtoken_from_env: true,
traffic_policy: fs.readFileSync("/path/to/policy.json", "utf8"),
});
console.log(`Ingress established at: ${listener.url()}`);
})();
Traffic Policies can be defined in json or yaml!
{
"on_tcp_connect": [
{
"name": "DenyTrafficOutsideUS",
"expressions": ["conn.geo.country_code != 'US'"],
"actions": [
{
"type": "deny"
}
]
},
{
"name": "LogRequestsFromKnownIP",
"expressions": ["conn.client_ip == '110.0.0.1"],
"actions": [
{
"type": "log",
"config": {
"metadata": {
"event": "known-ip",
"data": "110.0.0.1"
}
}
}
]
}
]
}
---
on_tcp_connect:
- name: DenyTrafficOutsideUS
expressions:
- conn.geo.country_code != 'US'
actions:
- type: deny
- name: LogRequestsFromKnownIP
expressions:
- conn.client_ip == '110.0.0.1
actions:
- type: log
config:
metadata:
event: known-ip
data: 110.0.0.1
Javascript SDK Docs:
with open('/path/to/policy.json') as f:
policy = json.load(f)
listener = await session.http_endpoint().traffic_policy(policy).listen()
Traffic Policies can be defined in json or yaml!
{
"on_tcp_connect": [
{
"name": "DenyTrafficOutsideUS",
"expressions": ["conn.geo.country_code != 'US'"],
"actions": [
{
"type": "deny"
}
]
},
{
"name": "LogRequestsFromKnownIP",
"expressions": ["conn.client_ip == '110.0.0.1"],
"actions": [
{
"type": "log",
"config": {
"metadata": {
"event": "known-ip",
"data": "110.0.0.1"
}
}
}
]
}
]
}
---
on_tcp_connect:
- name: DenyTrafficOutsideUS
expressions:
- conn.geo.country_code != 'US'
actions:
- type: deny
- name: LogRequestsFromKnownIP
expressions:
- conn.client_ip == '110.0.0.1
actions:
- type: log
config:
metadata:
event: known-ip
data: 110.0.0.1
Python SDK Docs:
Traffic Policy is coming soon via rust-sdk
---
apiVersion: ingress.k8s.ngrok.com/v1alpha1
kind: Domain
metadata:
name: tlsedgetest-ngrok-app
spec:
domain: tlsedgetest.ngrok.app
---
apiVersion: ingress.k8s.ngrok.com/v1alpha1
kind: TLSEdge
metadata:
name: test-edge
spec:
hostports:
- tlsedgetest.ngrok.app:443
backend:
labels:
app: tlsedgetest
policy:
inbound:
- name: "LimitToKnownIPs"
expressions:
- "conn.ClientIP != '8.8.8.8'"
- "conn.ClientIP != '9.9.9.9'"
actions:
- type: deny
---
apiVersion: ingress.k8s.ngrok.com/v1alpha1
kind: Tunnel
metadata:
name: test-tunnel
spec:
backend:
protocol: TLS
forwardsTo: kubernetes.default.svc:443
labels:
app: tlsedgetest
Behavior
Traffic Policy rules are evaluated sequentially in the order they are configured with on_tcp_connect rules taking effect before the
upstream server is reached. Whether or not the configured actions are performed is determined at runtime by the expressions.
Expression Evaluation
Traffic Policy expressions are written using the Common Expression Language (CEL). Policy expressions must evaluate to true
in order for policy actions to take effect. There is no behavioral difference between adding multiple expressions to a single policy rule and having one
single expression with multiple statements logically conjoined together (i.e. ["1 == 1 && 2 == 2"] is the same
s ["1 == 1", "2 == 2"]).
If no expressions are specified on a traffic policy rule, its actions will always take effect.
Action Execution
If a traffic policy's expressions are evaluated as a match against a connection, the policy's actions will be executed. If multiple actions are defined on a traffic policy, the actions will execute sequentially.
See actions for all available actions.
Reference
Configuration
| Parameter | Description |
|---|---|
| name | Traffic Policy rules can optionally be given a name for convenience. |
| expressions | A list of CEL expressions that filter which traffic a policy rule will apply to. |
| actions | A list of actions that will execute sequentially if the associated policy rule's expressions all match on the traffic. |
| type | The type of action. |
| config | The configuration details of how an action should execute. Each action has its own configuration structure. |
Edges
Traffic Policy is a TLS Edge module.
The Traffic Policy module can be configured vai the ngrok dashboard or API.