Network Policies

ACL you can see, not just write.

Author allow/deny rules between groups in a visual editor, then watch them light up as an access graph. Click any edge to see exactly which rule allowed — or denied — the connection.

Allow/deny rules between groups, by protocol and port
Visual editor — see and edit the whole access graph
Click-to-trace any verdict back to the exact rule

Get early access Pair with Zero Trust →

Access map

prod-rbac

ops

sre

devs

prod-app

monitor

prod-db

deny · devs → prod-db

rule #4 · click to inspect

allow deny

Click any edge to trace the rule behind the verdict.

Click-to-trace

Visual editor

When policy actually changes

Built for the moments that matter.

Onboarding a service. Debugging a denial. Testing a change before it ships. The editor and the access map have you covered.

Onboard a new service

Drop the service into a target group. Decide which source groups can reach it on which ports. Hit save — the rule is live in seconds.

allow ops → prod-app :443, :22

Debug a denial

Engineer says "I can't reach db-primary." Open the access map, click the peer, see the deny edge, trace lands on the exact rule. Fix or explain it in a minute.

DENY rule #4 — devs cannot reach prod-db

Test before you ship

Ask "can this group reach that target on this port?" before you change anything. The engine answers with the rule that decides it — no guesswork.

test devs → prod-db :22 ⇒ DENY (rule #4)

Capabilities

A policy engine that explains itself.

Visual editor + access map

Build rules in a form, then see the whole org as a graph of who-can-reach-what. Allow edges in green, deny edges dashed — the policy is legible at a glance.

Allow/deny between groups

Protocol + port scoping (TCP/UDP/ICMP)

Toggle a rule on or off without deleting

Access map renders the full graph

Click-to-trace any verdict

Click an edge in the map or run a test. meshr surfaces the exact rule, the group membership that triggered it, and what to change. Debug ACL incidents in seconds, not afternoons.

# Trace verdict: devs → prod-db :22
DENY  policy: prod-rbac
      rule:   rule #4
      via:    savas is member of devs
      fix:    add savas to db-read

Read your rules as code

Every rule renders as a clean, human-readable HCL-style preview — handy for a quick second opinion or to paste into a review. (Today this is a read-only view; editing happens in the visual editor.)

# Rule preview (read-only today)
allow {
  from = ["ops", "sre"]
  to   = ["prod-app"]
  ports = [443, 22]
}

Coming soon

Policy as code & GitOps

On the roadmap: make the code form the source of truth — commit it to Git, open a PR, apply it through a Terraform provider, and diff every change. Not available yet; today the visual editor is the source.

Code form as the editable source of truth

Git-versioned with PR review

Terraform provider applies the same syntax

Side-by-side diff between versions

Every change you make in the editor is recorded — see the full who/what/when in Audit Logs.

See your network's access in one map.

Free for every feature while we're in beta. Write your first allow rule and watch the access graph light up.

Get early access See pricing →