To control access to the microservices in your application inside a global namespace, you can create the access control policies through the Tanzu Service Mesh Console UI.

Layer 4/ layer 7 requests are controlled (which to allow/deny).

Prerequisites

Procedure

  1. In the navigation panel on the left, select New Workflow > New Policy > New Access Control Policy.

    Alternatively, you can create the autoscaling policy by navigating to the panel on the left and selecting Policies > Autoscaling Policy . In the upper-right corner of the Autoscaling Policy page, click New Policy.



  2. In the New Access Control Policy window, provide a name for the access control policy that is not already in use. Optionally add a description.
  3. Select a global namespace from the GNS Scope dropdown menu.
  4. Select a source group from the Source Services dropdown menu. Click Add Source Group to add multiple source groups.
  5. Select a destination group from the Destination Services dropdown menu. Click Add Destination Group to add multiple destination groups.
  6. Select the Policy Intent dropdown to choose whether you want to allow or deny traffic between the source and destination groups.

    Allow: Tanzu Service Mesh permits traffic using the type of authentication you applied to the policy.

    Deny: Tanzu Service Mesh silently drops all packets for the session and does not send any active control messages such as TCP resets or ICMP unreachable.

    You can choose to allow or deny all traffic or specific traffic as follows:

    Specific TCP Connections: You can allow or deny traffic for a specific TCP connections. Select Allow or Denyand select Specific TCP Connections from the dropdown menu. From Ports dropdown, choose either All Ports or Specific Ports.

    • Specific Ports: Choose either Single Port and enter the port number or select Port Range and enter the range of port number that you wish to allow or deny traffic.

    • Click Add TCP Port to add multiple port numbers or ranges.



    Specific HTTP Requests: You can allow or deny a specific HTTP requests by selecting Specific HTTP Requests from Policy Intent drop down.

    Methods: Choose either All Methods or Specific Methods. For Specific Methods, select the methods that you wish to allow from the given list.

    Paths: Select All Paths or Specific Paths from the dropdown menu. For Specific Paths, enter the exact path by choosing Path is Exactly or select Path Starts With and enter the starting parameter of the path.

    Hostnames: Select All Hostnames or Specific Paths from the dropdown menu. For Specific Hostnames, enter the specific hostname. You can also enter it in the wildcard format.



  7. Click Next.
  8. On the Summary page, review the access control policy and click Save.

Results

The new access control policy appears on the Access Control Policies page. Expand a specific access control policy to view more details.



What to do next

To edit an existing autoscaling policy, perform these steps:

  1. On the Access Control Policies page, click the vertical three dots to the right of the desired access control policy.

  2. On the menu, click Edit Configuration.

  3. To advance through the configuration pages after making changes, click Next.



To delete an autoscaling policy that you no longer need, perform these steps:

  1. Click the vertical three dots to the right of the autoscaling policy.

  2. On the menu, click Delete.

Note:

You can define an access control policy through the Tanzu Service Mesh Console UI before an application is deployed.

To see access control policy at work in the Tanzu Service Mesh Console UI, perform these steps.

  1. In the navigation panel on the left, click Home.

  2. On the Home page, click the GNS Overview tab.

  3. Click the global namespace that contains the services with access control policies.

  4. Click the Policies tab to see the list of access control policies for the particular global namespace.