Policy guide — overview
A policy is a single YAML file with several optional top-level groups
(metadata, snat_overload, data_endpoint, object_groups, port_groups,
hostname_groups) and one required block: rules. The engine loads the file,
validates it, and compiles it into a single-pass packet classification and
verdict engine with an inline L7 (SNI / Host) extractor.
metadata: name: production-policy description: Default-deny egress with a small allow-list version: 1.4.0
snat_overload: enable # global masquerade for routed traffic
object_groups: - name: corp-vpn cidrs: - 10.20.0.0/16
port_groups: - name: web protocol: tcp ports: - 80 - 443
hostname_groups: - name: saas hostnames: - "**.atlassian.net" - "**.slack.com"
rules: - name: through-firewall default_action: drop rules: - comment: Allow VPN users to SaaS apps src: corp-vpn dst: any sni_hostname: saas protocol: tcp port: web action: accept log: trueRules are evaluated in order, top-to-bottom per traffic section. The first
match wins. If no rule matches, the section’s default_action is applied.
Where to go next
Section titled “Where to go next”- rules (traffic sections) — the three direction sections and their default actions.
- Rule fields — every field a single rule can carry.
- Group references: object_groups · port_groups · hostname_groups.
- SNI / hostname matching — the wildcard grammar.
This guide is the policy-as-code counterpart to the Cloud Controller console workflow — same engine, same three sections, same first-match evaluation.