topology

package
v1.5.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 19, 2026 License: MIT Imports: 9 Imported by: 0

Documentation

Overview

Package topology provides a network topology simulation engine that evaluates actual connectivity between cloud resources.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type ACLVerdict 

type ACLVerdict struct {
	Allowed    bool
	RuleNumber int
	Action     string // "allow" or "deny"
	Reason     string
}

ACLVerdict describes the result of network ACL evaluation.

type ConnectivityQuery 

type ConnectivityQuery struct {
	SrcInstanceID string
	DstInstanceID string
	Port          int
	Protocol      string // "tcp", "udp", "icmp", "-1" (all)
}

ConnectivityQuery holds the parameters for a CanConnect evaluation.

type ConnectivityResult 

type ConnectivityResult struct {
	Allowed    bool
	Reason     string
	Path       []RouteHop
	SGVerdict  TrafficVerdict
	ACLVerdict *ACLVerdict
}

ConnectivityResult describes the result of a CanConnect evaluation.

type Engine 

type Engine struct {
	// contains filtered or unexported fields
}

Engine evaluates network topology and connectivity between cloud resources.

func New 

func New(
	compute computedriver.Compute,
	networking netdriver.Networking,
	dns dnsdriver.DNS,
) *Engine

New creates a new topology Engine that reads state from the provided compute, networking, and DNS services.

func (*Engine) CanConnect 

func (e *Engine) CanConnect(
	ctx context.Context,
	query ConnectivityQuery,
) (*ConnectivityResult, error)

CanConnect evaluates whether two instances can communicate on the given port and protocol, considering VPC membership, peering, security groups, and network ACLs.

func (*Engine) EvaluateNetworkACL 

func (e *Engine) EvaluateNetworkACL(
	ctx context.Context,
	aclID string,
	srcIP, dstIP string,
	port int,
	protocol string,
	ingress bool,
) (*ACLVerdict, error)

EvaluateNetworkACL evaluates a network ACL's rules against the given traffic. Rules are evaluated in order by rule number; the first matching rule wins. If no rule matches, traffic is implicitly denied.

func (*Engine) EvaluateSecurityGroups 

func (e *Engine) EvaluateSecurityGroups(
	ctx context.Context,
	srcSGID, dstSGID string,
	port int,
	protocol string,
) (*TrafficVerdict, error)

EvaluateSecurityGroups checks whether traffic from srcSG to dstSG is allowed on the given port and protocol. Both egress on src and ingress on dst must match.

func (*Engine) Resolve 

func (e *Engine) Resolve(ctx context.Context, hostname string) ([]string, error)

Resolve walks through DNS zones and returns matching record values for the hostname.

func (*Engine) TraceRoute 

func (e *Engine) TraceRoute(
	ctx context.Context,
	srcInstanceID, destIP string,
) ([]RouteHop, error)

TraceRoute returns the network path from a source instance to a destination IP.

type RouteHop 

type RouteHop struct {
	Type       string // "instance", "subnet", "route-table", "gateway", "nat-gateway", "peering", "local"
	ResourceID string
	Detail     string
}

RouteHop represents one step in the network path.

type RuleMatch 

type RuleMatch struct {
	GroupID  string
	Protocol string
	CIDR     string
	FromPort int
	ToPort   int
}

RuleMatch identifies which security rule matched.

type TrafficVerdict 

type TrafficVerdict struct {
	Allowed      bool
	EgressMatch  *RuleMatch
	IngressMatch *RuleMatch
	Reason       string
}

TrafficVerdict describes the result of security group evaluation.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.