Network Policy

Network Policies in AWS EKS (Real-Time Example)

Scenario: In XYZ Corp, different teams work on multiple applications inside Kubernetes. They want to restrict communication between workloads using Network Policies.

Step 1: Enable Network Policies on AWS EKS

🔹 AWS VPC CNI Plugin does not support Network Policies by default. 🔹 Use Calico CNI for Network Policy Support.

kubectl apply -f https://docs.projectcalico.org/manifests/calico.yaml

✅ Calico is now enabled!

Step 2: Restrict Traffic Between Namespaces

By default, all pods in Kubernetes can talk to each other.

Deny All Traffic in the Cluster (Default Policy)

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: default-deny-all
  namespace: default
spec:
  podSelector: {}
  policyTypes:
    - Ingress
    - Egress

✅ Now, all pods in default namespace are isolated.

Step 3: Allow Only Frontend → Backend Communication (Dev Team)

🔹 Frontend can talk to Backend, but not to DB.

✅ Now, only Frontend can talk to Backend on port 8080.

Step 4: Block External Access to QA Apps

🔹 QA applications should not be accessed from outside.

✅ Now, all pods in qa-team are blocked from external traffic.

Step 5: Allow Security Team to Monitor Logs

🔹 Security Team should access logs but not modify anything.

✅ Only security-team namespace can access logs over port 9200.

Step 6: Test the Network Policies

🔹 Check if frontend can access backend:

✅ Should work.

🔹 Check if frontend can access DB (which should fail):

❌ Should fail.

🔹 Check if external access to QA is blocked:

❌ Should fail.

Conclusion: Securing EKS with Network Policies

✔ Pods are isolated unless allowed ✔ Frontend can talk to backend, but not to DB ✔ QA apps are protected from external access ✔ Security team can access logs, nothing else

🚀 NEXT: Do you want to implement AWS WAF for more security?