Skip to main content
Calico Cloud documentation

Global network set

A global network set resource (GlobalNetworkSet) represents an arbitrary set of IP subnetworks/CIDRs, allowing it to be matched by Calico Cloud policy. Network sets are useful for applying policy to traffic coming from (or going to) external, non-Calico Cloud, networks.

GlobalNetworkSets can also include domain names, whose effect is to allow egress traffic to those domain names, when the GlobalNetworkSet is matched by the destination selector of an egress rule with action Allow. Domain names have no effect in ingress rules, or in a rule whose action is not Allow.

note

Calico Cloud implements policy for domain names by learning the corresponding IPs from DNS, then programming rules to allow those IPs. This means that if multiple domain names A, B and C all map to the same IP, and there is domain-based policy to allow A, traffic to B and C will be allowed as well.

The metadata for each network set includes a set of labels. When Calico Cloud is calculating the set of IPs that should match a source/destination selector within a global network policy rule, or within a network policy rule whose namespaceSelector includes global(), it includes the CIDRs from any network sets that match the selector.

note

Since Calico Cloud matches packets based on their source/destination IP addresses, Calico Cloud rules may not behave as expected if there is NAT between the Calico Cloud-enabled node and the networks listed in a network set. For example, in Kubernetes, incoming traffic via a service IP is typically SNATed by the kube-proxy before reaching the destination host so Calico Cloud's workload policy will see the kube-proxy's host's IP as the source instead of the real source. For kubectl commands, the following case-insensitive aliases may be used to specify the resource type on the CLI: globalnetworkset.projectcalico.org, globalnetworksets.projectcalico.org and abbreviations such as globalnetworkset.p and globalnetworksets.p.

Sample YAML

apiVersion: projectcalico.org/v3
kind: GlobalNetworkSet
metadata:
name: a-name-for-the-set
labels:
role: external-database
spec:
nets:
- 198.51.100.0/28
- 203.0.113.0/24
allowedEgressDomains:
- db.com
- '*.db.com'

Global network set definition

Metadata

FieldDescriptionAccepted ValuesSchema
nameThe name of this network set.Lower-case alphanumeric with optional - or -.string
labelsA set of labels to apply to this endpoint.map

Spec

FieldDescriptionAccepted ValuesSchemaDefault
netsThe IP networks/CIDRs to include in the set.Valid IPv4 or IPv6 CIDRs, for example "192.0.2.128/25"list
allowedEgressDomainsThe list of domain names that belong to this set and are honored in egress allow rules only. Domain names specified here only work to allow egress traffic from the cluster to external destinations. They don't work to deny traffic to destinations specified by domain name, or to allow ingress traffic from sources specified by domain name.List of exact or wildcard domain nameslist

Exact and wildcard domain names

When a configured domain name has no wildcard (*), it matches exactly that domain name. For example:

  • microsoft.com
  • tigera.io

With a single asterisk in any part of the domain name, it matches 1 or more path components at that position. For example:

  • *.google.com matches www.google.com and www.ipv6.google.com, but not google.com
  • www.*.com matches www.sun.com and www.apple.com, but not www.com
  • update.*.mycompany.com matches update.tools.mycompany.com, update.secure.suite.mycompany.com, and so on

Not supported are:

  • Multiple wildcards in the same domain, for example: *.*.mycompany.com
  • Asterisks that are not the entire component, for example: www.g*.com
  • More general wildcards, such as regular expressions