Skip to content

Policy guide — overview

A policy is a single YAML file with several optional top-level groups (metadata, snat_overload, data_endpoint, object_groups, port_groups, hostname_groups) and one required block: rules. The engine loads the file, validates it, and compiles it into a single-pass packet classification and verdict engine with an inline L7 (SNI / Host) extractor.

metadata:
name: production-policy
description: Default-deny egress with a small allow-list
version: 1.4.0
snat_overload: enable # global masquerade for routed traffic
object_groups:
- name: corp-vpn
cidrs:
- 10.20.0.0/16
port_groups:
- name: web
protocol: tcp
ports:
- 80
- 443
hostname_groups:
- name: saas
hostnames:
- "**.atlassian.net"
- "**.slack.com"
rules:
- name: through-firewall
default_action: drop
rules:
- comment: Allow VPN users to SaaS apps
src: corp-vpn
dst: any
sni_hostname: saas
protocol: tcp
port: web
action: accept
log: true

Rules are evaluated in order, top-to-bottom per traffic section. The first match wins. If no rule matches, the section’s default_action is applied.

This guide is the policy-as-code counterpart to the Cloud Controller console workflow — same engine, same three sections, same first-match evaluation.

Enforza is a trading name of Synvu Limited, a company registered (15761962) in the United Kingdom. Registered office address: 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom.