Use IP network and service names from Aerleon

Invariant natively supports network and service definition files in the Aerleon format.

Place your definition files in the def/ directory of your snapshot.

snapshot/
└── def/
    ├── networks.yaml
    └── services.yaml

Example Network Definitions

invariant/def/networks.yaml
networks:
  DB_SERVERS:
    values:
      - address: 10.50.1.10/32
      - address: 10.50.1.11/32

  RFC1918:
    values:
      - name: RFC1918_10_SPACE   # Include other network
      - name: RFC1918_172_SPACE
      - name: RFC1918_192_SPACE

  RFC1918_10_SPACE:
    values:
      - address: 10.0.0.0/8

  RFC1918_172_SPACE:
    values:
      - address: 172.16.0.0/12

  RFC1918_192_SPACE:
    values:
      - address: 192.168.0.0/16

Example Service Definitions

invariant/def/services.yaml
services:
  HIGH_PORTS:
    values:
      - port: 1024-65535
        protocol: tcp udp
  SSH:
    values:
      - port: 22
        protocol: tcp

Services can include other services.

invariant/def/services.yaml
services:
  NMSP:
  - name: NMSP_537
  - name: NMSP_1790
  NMSP_1790:
  - port: 1790
    protocol: tcp
  - port: 1790
    protocol: udp
  NMSP_537:
  - port: 537
    protocol: tcp
  - port: 537
    protocol: udp

Reference these named definitions directly in your Invariant access policy rules.

invariant/policies/my_policy.yaml
access-policy:
  - name: db-access
    ingress-network: DB_SERVERS # Use named network
    rules:
      - type: ingress-deny
        source-address: RFC1918 # Use named network
        destination-port: SSH   # Use named service

Built-in definitions for common IP networks (like RFC1918) and IANA well-known services are automatically loaded by Invariant. See Reference well-known networks and services in Invariant

See Access Policy for more details on writing rules.

Example Network Definitions​

Example Service Definitions​

Example Network Definitions

Example Service Definitions