# skip boilerplate check
---
# Terraform will be unable to decode this file if it does not contain valid YAML
# You can retain `---` (start of the document) to indicate an empty document.

ingress:
  allow-hc-nva-ssh-dmz:
    description: "Allow traffic from Google healthchecks to NVA appliances"
    source_ranges:
      - healthchecks
    rules:
      - protocol: tcp
        ports:
          - 22
  # these are not really needed, but it's good to have them
  # in place if the more generic hierarchical firewall policies
  # get deleted
  allow-ncc-nva-bgp-dmz:
    description: "Allow BGP traffic from NCC Cloud Routers to NVAs"
    source_ranges:
      - ncc_cloud_routers_dmz
    targets: ["nva"]
    rules:
      - protocol: tcp
        ports:
          - 179
  allow-nva-nva-bgp-dmz:
    description: "Allow BGP traffic from cross-regional NVAs"
    sources: ["nva"]
    targets: ["nva"]
    rules:
      - protocol: tcp
        ports:
          - 179