AS-301b · Module 2
Network Policy as Code
3 min read
Network policies that live in a firewall UI are policies that drift. Policies that live in version-controlled code are policies that are reviewed, audited, and tracked over time. Network policy as code means your microsegmentation rules, service mesh configurations, and traffic policies are defined in declarative files — YAML, HCL, or Rego — stored in a git repository, reviewed through pull requests, and deployed through CI/CD pipelines.
The advantages are structural. Every policy change has a commit message explaining why. Every policy change has a reviewer who approved it. Every policy change can be rolled back to a known-good state. The audit trail is the git log. When an auditor asks "who approved this network change and when," the answer is a commit hash with a timestamp, an author, and a reviewer.
Do This
- Define all network policies in declarative code files stored in version control
- Require pull request review for every policy change — no direct edits to running configuration
- Run automated policy validation in CI — check for overly permissive rules, missing deny defaults, and syntax errors before deployment
Avoid This
- Manage network policies through a web UI with no change tracking — every undocumented change is a potential security gap
- Allow direct edits to production policy without review — speed is not worth the risk of an accidental permissive rule
- Treat policy code as infrastructure only — it is a security artifact that requires security review