[
	{
		"subnet": "10.0.1.0/24",
		"mode": "permissive",
		"enable_logging": false,
		"ingress": [
			{
				"port": 22,
				"protocol": "tcp",
				"action": "deny",
				"comment": "Block SSH access"
			},
			{
				"port": 80,
				"protocol": "tcp",
				"action": "allow",
				"comment": "Allow HTTP traffic"
			},
			{
				"port": 443,
				"protocol": "tcp",
				"action": "allow",
				"comment": "Allow HTTPS traffic"
			}
		]
	},
	{
		"mode": "permissive",
		"enable_logging": false,
		"ingress": [
			{
				"protocol": "icmp",
				"action": "allow",
				"comment": "Allow all ICMP (ping)"
			}
		],
		"egress": [
			{
				"port": 443,
				"protocol": "tcp",
				"action": "deny",
				"comment": "Block outbound HTTPS"
			},
			{
				"port": 22,
				"protocol": "tcp",
				"action": "deny",
				"comment": "Block outbound SSH"
			}
		]
	},
	{
		"mode": "restrictive",
		"enable_logging": true,
		"ingress": [
			{
				"protocol": "icmp",
				"action": "allow",
				"comment": "Allow ping"
			}
		],
		"forward": [
			{
				"source": "10.0.1.0/24",
				"destination": "10.0.2.0/24",
				"action": "deny",
				"comment": "Block traffic from public to private subnet"
			}
		]
	},
	{
		"subnet": "10.0.1.0/24",
		"mode": "restrictive",
		"enable_logging": true,
		"ingress": [
			{
				"port": 80,
				"protocol": "tcp",
				"source": "10.0.2.0/24",
				"action": "allow",
				"comment": "Allow HTTP only from private subnet"
			},
			{
				"protocol": "icmp",
				"icmp_type": 8,
				"source": "10.0.0.0/16",
				"action": "allow",
				"comment": "Allow ping from within VPC"
			}
		],
		"egress": [
			{
				"port": 53,
				"protocol": "udp",
				"action": "allow",
				"comment": "Allow DNS queries"
			},
			{
				"port": 80,
				"protocol": "tcp",
				"action": "allow",
				"comment": "Allow outbound HTTP"
			},
			{
				"port": 443,
				"protocol": "tcp",
				"action": "allow",
				"comment": "Allow outbound HTTPS"
			}
		]
	},
	{
		"mode": "restrictive",
		"enable_logging": true,
		"ingress": [
			{
				"port": 80,
				"protocol": "tcp",
				"action": "allow",
				"comment": "Allow HTTP"
			},
			{
				"port": 443,
				"protocol": "tcp",
				"action": "allow",
				"comment": "Allow HTTPS"
			},
			{
				"protocol": "icmp",
				"icmp_type": 8,
				"action": "allow",
				"comment": "Allow ping (echo request)"
			}
		],
		"egress": [
			{
				"port": 53,
				"protocol": "udp",
				"action": "allow",
				"comment": "Allow DNS"
			},
			{
				"port": 80,
				"protocol": "tcp",
				"action": "allow",
				"comment": "Allow outbound HTTP"
			},
			{
				"port": 443,
				"protocol": "tcp",
				"action": "allow",
				"comment": "Allow outbound HTTPS"
			},
			{
				"protocol": "icmp",
				"action": "allow",
				"comment": "Allow outbound ping"
			}
		]
	}
]