L4 egress: restrict by CIDR and port(s)
You can restrict egress by IP ranges (CIDRs) and/or by specific ports or port ranges. Use CIDR restrictions when you want to limit destinations by address space; usetoPorts for port-based filtering regardless of destination.
Example: allow egress to two specific CIDR ranges, and also allow a broad CIDR but exclude a few subnets/addresses.
toPorts:
app: app1 to make TCP connections only on port 80 to any IP.
Terminal checks from inside an app1 pod (examples):
Port ranges
Allow a contiguous port range usingendPort (inclusive):
Combine L3 (endpoints/CIDR) with L4 (ports)
For precise allowances, combinetoEndpoints (L3 pod selectors) or toCIDR with toPorts. Example: allow app1 to talk to app2 only on TCP port 80.
- app1 -> app2 on TCP/80: allowed
- app1 -> app2 on other ports (e.g., 90): blocked
- app1 -> any other pod: blocked (regardless of port)
L4 with CIDR destinations
You can combine L4 and L3-by-CIDR — for example, permit app1 to contact IPs in a subnet only on a specific port.Egress policies are deny-by-default: when you add egress rules, Cilium blocks anything not explicitly allowed. Common control-plane traffic (for example DNS) will be blocked unless you permit it.
DNS gets blocked by default — add an explicit rule
Because egress is deny-by-default, restrictive egress policies often break DNS resolution inside pods. You must explicitly allow DNS to the cluster’s DNS service (typically CoreDNS) on port 53. Example symptom after applying a restrictive policy:- Find CoreDNS pod labels:
- Create a namespaced policy that permits egress from app1 to the CoreDNS pods on port 53. DNS often uses UDP/TCP, so
protocol: ANYis acceptable:
If you forget to allow DNS, many higher-level application behaviors will fail (package downloads, image pulls inside pods, service discovery, etc.). Always include DNS allowances when applying restrictive egress policies.
L7: DNS filtering (match names / patterns)
Cilium’s L7 rules can match DNS queries by name or pattern. Userules.dns to allow only specific domain names to be resolved.
Example: allow only *.google.com and yahoo.com queries from app1 to CoreDNS:
- Queries for *.google.com and yahoo.com: allowed
- Queries for other domains (e.g., amazon.com): refused/blocked
L7: HTTP filtering (method, path, headers, host)
Cilium can perform HTTP-aware L7 filtering. You can allow or deny requests based on HTTP method, path, headers, and host. The following policy lets only GET /auth requests from app1 to app2 on port 80.- Start packet capture or application logs on app2 to observe incoming requests.
- From app1:
- curl http://<app2-ip>/auth => allowed
- curl http://<app2-ip>/products => blocked by L7 policy
Ingress from other pods and external entities
Ingress policies follow the same selector patterns. Example: allow ingress to app1 only from pods labeledapp: app2:
fromEntities to allow traffic from those external sources:
fromEntities: ["world"] (or another appropriate ingress allowance).
Cilium Cluster-wide Network Policies (CCNP)
A CiliumClusterwideNetworkPolicy (CCNP) applies across all namespaces. Use a CCNP when you want the same policy to affect pods in every namespace — for example, to allow DNS cluster-wide. Example: allow all pods cluster-wide to query CoreDNS on port 53:- A namespaced CiliumNetworkPolicy applies only to pods in that namespace. A CCNP applies cluster-wide.
- To include or exclude specific namespaces in endpoint selectors, use the
k8s.io.kubernetes.pod.namespacelabel infromEndpoints/toEndpoints.
Quick reference: L3 vs L4 vs L7
| Layer | What it controls | Cilium fields | Common use cases |
|---|---|---|---|
| L3 (Network) | Destination IPs / pods | toCIDR, toCIDRSet, toEndpoints | Restrict to specific pods or subnets |
| L4 (Transport) | Ports and protocols | toPorts, port, endPort | Allow only specific TCP/UDP ports or ranges |
| L7 (Application) | Protocol methods, paths, DNS names | rules: { http:, dns: } | HTTP method/path filtering, DNS name filtering |
Summary
- Use
toPortsfor L4 port-based restrictions andtoCIDR/toEndpointsfor L3 (IP/pod) restrictions. - Combine L3 + L4 to express fine-grained policies (e.g., app1 → app2 on TCP/80).
- Cilium policies are deny-by-default for egress; always explicitly allow control-plane traffic such as DNS.
- Cilium supports L7 policies (DNS, HTTP, etc.) for application-aware controls.
- Use CiliumClusterwideNetworkPolicy to apply consistent rules cluster-wide.
Links and references
- Cilium Network Policy documentation: https://docs.cilium.io/en/stable/policy/
- Kubernetes DNS (CoreDNS) overview: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/
- Kubernetes Services: https://kubernetes.io/docs/concepts/services-networking/service/