Information Flow Enforcement | Physical / Logical Separation of Information Flows
Warden ALLOW rules: Any Warden Server configuration
allow rules. Set Warden Server configuration rules in the Droplet Execution Agent (DEA) configuration section of your deployment manifest.
Warden DENY rules: Any Warden Server configuration
deny rules. Set Warden Server configuration rules in the DEA configuration section of your deployment manifest.
The DEA manages the Warder Containers and controls both outbound and inbound network rules
Application Security Groups
Cloud.Gov uses application security groups act as virtual firewalls to control outbound traffic from the applications in deployment. Cloud.Gov evaluates security groups and other network traffic rules in a strict priority order. Cloud Foundry returns and allow, deny, or reject result for the first rule that matches the outbound traffic request parameters, and does not evaluate any lower-priority rules. Cloud Foundry evaluates the network traffic rules for an application in the following order: Security Groups: The rules described by the Default Staging set, the Default Running set, and all security groups bound to the space.
Amazon Virtual Private Cloud
The virtual private cloud logically separates the hosted services from other information systems within its environment. Any service built using AWS VPC will reside within its own virtual private network and may have its own dedicated elastic load balancers for incoming traffic.