Outbound Filter

The VPG Outbound Filter option allows you to specify a whitelist or blacklist of IP address ranges where outgoing traffic can or cannot be routed, and in turn ensure that your devices are not allowed to access unauthorized resources. Outbound Filter can be applied to VPGs with Canal, Door, and Direct (using the direct route to your private network environment through VPC Peering Connections, VPN connections, or virtual interfaces), as well as VPGs where the Internet gateway is enabled.

Outbound Filter

By applying an Outbound Filter to your VPG, you can effectively prevent devices from communicating with untrusted servers, or protect data from being sent to unknown destinations.


Filter Rules

An Outbound Filter consists of one or more rules, with each rule containing the following parameters:

When a rule action set to allow, any traffic where the destination IP address matches the IP address range will be permitted. Similarly, if the action is set to deny, then the traffic will be blocked.

If rules contain overlapping IP address ranges, the action for the CIDR block with the larger mask (or more specific IP address range) will be used for the filter behavior. For example, if a filter:

Then any traffic bound for 192.0.2.130 will be matched with the second rule 192.0.2.128/28 and the traffic will not be routed.


Configuration

You can configure a VPG's outbound filter rules from the User Console.

  1. Login to the User Console. From the Menu, open the VPG screen.

  2. From the list of VPGs, click the name of the VPG you want to configure to open its settings page.

  3. Click the Advanced settings tab.

  4. From the VPG routing outbound filter panel, click the Add button to add a rule.

    Add Outbound Filter rule

  5. Enter the rule Action and IP Address Range.

    Rule configuration

  6. Repeat steps 4. and 5. for any additional rules. Then click Save.

Limitations

The Outbound Routing Filter cannot prevent communications to the following Soracom endpoints:

When using Soracom Gate it is not possible to filter communications from the Gate Peer server to SIMs that belong to the VPG.


Programmatic Usage

You can use the Soracom API and Soracom CLI to configure Outbound Filter rules programmatically. Each rule should contain the following parameters:

For example, the following filter will prevent any devices attached to the VPG from communicating with a network resource in the 192.0.2.0/26 IP address range:

[
  {
    "action": "deny",
    "ipRange": "192.0.2.0/26"
  }
]

You can combine multiple rules to define additional routing behavior. For example, the following filter will allow traffic to be routed to destinations within the 192.0.2.128/25 IP address range, while preventing traffic from being routed to any other destination:

[
  {
    "action": "deny",
    "ipRange": "0.0.0.0/0"
  },
  {
    "action": "allow",
    "ipRange": "192.0.2.128/25"
  }
]

Then, simply pass in the filter configuration to the Soracom API or Soracom CLI. For either method, you will need the VPG ID.

Soracom API

To access the Soracom API, first use the auth API to obtain an API Key and Token. Refer to the API Reference Guide for instructions on how to use the API Key and Token in API requests.

Then, use the setRoutingFilter API to set the Outbound Filter rules:

curl -X GET \
>  -H 'X-Soracom-API-Key: <MY-API-KEY>' \
>  -H 'X-Soracom-Token: <MY-TOKEN>' \
>  -H 'Content-Type: application/json' \
>  -d '[
>        {
>          "action": "deny",
>          "ipRange": "0.0.0.0/0"
>        },
>        {
>          "action": "allow",
>          "ipRange": "10.0.0.123/32"
>        }
>      ]' \
>  https://g.api.soracom.io/v1/virtual_private_gateways/<VPG-ID>/set_routing_filter

Soracom CLI

To use the Soracom CLI, you must first configure it to authenticate with your account information, authorization key, or SAM user credentials.

Then, run the following command to set the Outbound Filter rules:

soracom vpg set-routing-filter --vpg-id '<VPG-ID>' --body '@path/to/filter.json' --coverage-type g

In this sample, we're using the @filename method for passing in the filter definition which is stored in a separate file, but you can of course pass the raw data into the --body parameter directly.