Outbound Filter

The VPG Outbound Filter option allows you to specify a whitelist or blacklist of IP address ranges where outgoing traffic can or cannot be routed, and in turn ensure that your devices are not allowed to access unauthorized resources. Outbound Filter can be applied to VPGs with Canal, Door, and Direct (using the direct route to your private network environment through VPC Peering Connections, VPN connections, or virtual interfaces), as well as VPGs where the Internet gateway is enabled.

By applying an Outbound Filter to your VPG, you can effectively prevent devices from communicating with untrusted servers, or protect data from being sent to unknown destinations.


Filter Rules

An Outbound Filter consists of one or more rules, with each rule containing the following parameters:

Single Rule

For example, the following filter will prevent any devices attached to the VPG from communicating with a network resource in the 192.0.2.0/26 IP address range:

[
  {
    "action": "deny",
    "ipRange": "192.0.2.0/26"
  }
]

Multiple Rules

You can combine multiple rules to define additional routing behavior. For example, the following filter will allow traffic to be routed to destinations within the 192.0.2.128/25 IP address range, while preventing traffic from being routed to any other destination:

[
  {
    "action": "deny",
    "ipRange": "0.0.0.0/0"
  },
  {
    "action": "allow",
    "ipRange": "192.0.2.128/25"
  }
]

Overlapping Ranges

If rules contain overlapping IP address ranges, the action for the CIDR block with the larger mask (or more specific IP address range) will be used for the filter behavior. For example, if a filter:

Then any traffic bound for 192.0.2.130 will be matched with the second rule 192.0.2.128/28 and the traffic will not be routed.


Configuration

At this time, the Outbound Filter option must be configured using the Soracom API or Soracom CLI.

To set an Outbound Filter for a VPG, simply pass in the filter configuration to the Soracom API or Soracom CLI. In either method, you will need the VPG ID.

Soracom API

curl -X GET \
>  -H 'X-Soracom-API-Key: <my-api-key>' \
>  -H 'X-Soracom-Token: <my-token>' \
>  -H 'Content-Type: application/json' \
>  -d '[
>        {
>          "action": "deny",
>          "ipRange": "0.0.0.0/0"
>        },
>        {
>          "action": "allow",
>          "ipRange": "10.0.0.123/32"
>        }
>      ]' \
>  https://g.api.soracom.io/v1/virtual_private_gateways/{vpg_id}/set_routing_filter

Make sure to replace {vpg_id} with the your VPG's ID in the request path.

For more information, refer to the setRoutingFilter API documentation.

Soracom CLI

soracom vpg set-routing-filter --vpg-id '<vpg_id>' --body '@path/to/filter.json' --coverage-type g

In this sample, we're using the @filename method for passing in the filter definition which is stored in a separate file, but you can of course pass the raw data into the --body parameter directly.