Outgoing traffic configuration

We created an application to manage a cloudformation stack in AWS. The whole process is of course communicating with the Amazon cloud servers, with multiple subdomains.

For example, there is:


Reading Managing outgoing traffic I assumed that this configuration should be sufficient to catch all 3 variants:

“com.calponia.egress.fqdns.0.pattern”: ‘*.amazonaws.com’

But it seems that the asterisk is only evaluated for a single subdomain, not for multiple subdomains. Therefore I had to configure it like this, to make everything work:

  "com.calponia.egress.fqdns.0.pattern": '*.amazonaws.com'
  "com.calponia.egress.fqdns.1.pattern": '*.eu-central-1.amazonaws.com'
  "com.calponia.egress.fqdns.2.pattern": '*.*.eu-central-1.amazonaws.com'

Is this expected that the asterisk is only replacing a single subdomain and not multiple?

BTW, you need to check the documentation page, it seems there is a formatting issue by the usage of the asterisk in the text.

Thanks for your feedback. Yes, there is a formatting issue. I’ve created an issue for this.

And yes the asterisk is only replacing a single subdomain which is stated in the documentation:

* within a domain allows 0 or more valid DNS characters, except for the . separator

An exception to that is if you only use *. This would match all.
Your solution is correct! :+1:

Thanks for letting us know about the formatting issue, making this unclear.

Just as a user feedback, this is at least unexpected from a users perspective. I never faced such a way before. An asterisk typically does NOT exclude any characters.

Is there any reason why the dot is excluded? Is there any use case that makes it necessary? Or any security reason to avoid the resolution of all subdomains via asterisk?

Just to better understand the limitation of the asterisk usage.

This comes from an underlying software we use. Here is a reference Layer 3 Examples — Cilium 1.15.0-dev documentation

Not sure why they decided to design this like this, but the reasons should be in their github repository.