How it works...

We have created a very basic regular contract to provide to another tenant. There are other types of contracts we can create. Taboo contracts are used to deny and log traffic. Like conventional access control lists to deny traffic, these need to come first. An example would be where we are permitting a large number of ports and want to deny one or two particular ports; we would do this with a taboo contract to deny the traffic, created before the regular contract permitting the entire range.

In this recipe, we added a couple of labels. Labels allow us to classify what objects can talk to each other. Label matching is performed first, and if no label matches, then no other contract or filter information is processed. The label-matching attribute can be all, none, at least one, or exactly one.

While filters specify the fields to match on between layer 2 and layer 4, the subject can specify the actual direction of the traffic (unidirectional or bidirectional).

The contract we created was not that exciting but offers a building block onto which we can add more filters.