Baseguard
Web ConsoleAccess Control

Network Rules

Configure network access control rules

Network ACLs (Access Control Lists) define what traffic is allowed between nodes in your Baseguard network. Combined with tags, ACLs implement Baseguard's zero-trust security model.

How ACLs Work

ACLs work like a stateful firewall — rules define which nodes can initiate connections, and response traffic is automatically allowed. Rule order does not matter; if any rule matches the traffic, it is permitted.

Default Allow

When you create an organization, a Default ACL rule is automatically created that allows all traffic between all nodes (source: all, destination: all, protocol: ALL). This means new organizations start with full connectivity.

You can modify or delete this default rule to implement a more restrictive security posture.

Rule Matching

When a node sends traffic:

  1. ACL engine checks source and destination tags
  2. Matches against defined rules
  3. If match found, traffic allowed
  4. If no match, traffic denied

ACL Rule Structure

Each rule has these components:

FieldDescription
NameDescriptive name for the rule
Source TagsTags that identify source nodes
Destination TagsTags that identify destination nodes
ProtocolALL, TCP, UDP, or ICMP
PortsPort numbers or ranges (for TCP/UDP)

Creating ACL Rules

In the Console

Network Rules in Baseguard Console

  1. Navigate to Access Control and click the Network Rules tab
  2. Click Create Rule
  3. Fill in rule details:
    • Name
    • Source tags (leave empty for all nodes)
    • Destination tags (leave empty for all nodes)
    • Protocol
    • Ports (if applicable)
  4. Click Create Rule

Create ACL Rule dialog

Previewing ACL Rules

The Preview tab provides a visual representation of your ACL rules, showing how traffic flows between tags.

ACL Preview in Baseguard Console

The preview displays:

  • Source tags on the left
  • ACL rules in the middle with protocol/port details
  • Destination tags on the right

Use this view to:

  • Verify rule configuration before deployment
  • Understand the overall access topology
  • Identify gaps or overlaps in your rules

Rule Examples

Allow All Traffic

Permit all traffic between all nodes:

Name: Allow All
Source Tags: (empty)
Destination Tags: (empty)
Protocol: ALL

Database Access

Allow app servers to reach databases:

Name: App to Database
Source Tags: app
Destination Tags: database
Protocol: TCP
Ports: 5432

SSH Access

Allow SSH from admin devices:

Name: Admin SSH
Source Tags: admin
Destination Tags: (empty)
Protocol: TCP
Ports: 22

Protocol Options

ProtocolDescriptionPorts Field
ALLAll protocolsNot applicable
TCPTCP trafficRequired
UDPUDP trafficRequired
ICMPPing/ICMPNot applicable

Managing ACLs

Editing Rules

  1. Click on a rule
  2. Modify fields as needed
  3. Click Save

Changes take effect immediately — the control plane pushes updates to all connected nodes.

Deleting ACLs

  1. Click on an ACL rule
  2. Click Delete
  3. Confirm deletion

Traffic previously allowed by this rule will be blocked.

Troubleshooting

See Troubleshooting — Access Control Issues for solutions to traffic blocking, ACL matching, and testing problems.

See Also

  • Tags — Create and manage tags for access control
  • API Reference — Manage ACLs programmatically
  • Zero Trust — Understanding the security model

Tags

Organize nodes with tags for access control

Key Management

Manage authentication and API keys

On this page

How ACLs WorkDefault AllowRule MatchingACL Rule StructureCreating ACL RulesIn the ConsolePreviewing ACL RulesRule ExamplesAllow All TrafficDatabase AccessSSH AccessProtocol OptionsManaging ACLsEditing RulesDeleting ACLsTroubleshootingSee Also