[Beta] Outbound firewall
In some situations, compliance regulations may require you to limit outbound traffic from your application. The
firewall property allows you to do so.
This setting has no impact on inbound requests to your application. For that, use the environment access control settings in the Management Console.
The outbound firewall is currently in Beta. While the syntax is not expected to change, some behavior might in the future.
firewall property defines one or more allowed entries for outbound requests. Its basic syntax is as follows:
firewall: outbound: - protocol: tcp ips: ["126.96.36.199/32"] ports:  - protocol: tcp ips: ["188.8.131.52/32"] ports: 
The above example allows two outbound rules over TCP. All other outbound requests will be blocked and will time out eventually (usually after 30 seconds).
If no rules are specified, the default
firewall configuration is equivalent to:
firewall: outbound: - protocol: tcp ips: ["0.0.0.0/0"]
That is, all outbound TCP traffic is allowed on all ports (aside from port 25, which is always blocked without exception). In the majority of cases the default is sufficient for most applications.
Each firewall rule has three configuration values. At least one of
ports is required, but both may also be specified.
The default and only legal value for the protocol is
tcp. Outbound UDP ports are not allowed. As a result this property can be omitted in virtually every circumstance.
This property is an array of IP addresses in CIDR notation. CIDR allows you to specify a range of IP addresses in a compact format, using a bitmask. Most commonly the bitmask is 8, 16, or 32 but that is not required.
184.108.40.206/8 will match any IP address whose first 8 bits match
220.127.116.11, which corresponds to the first segment. Therefore it will allow
1.*.*.*. In comparison,
18.104.22.168/24 will allow
1.2.3.*. A mask of 32 will match only the IP address specified, so to allow a single specific IP you must write
IP Address Guide has a useful CIDR format calculator.
ports property is specified, requests to any port on the specified IP addresses are permitted.
This property is an array of ports in the range 1 to 65535 that are allowed. For example,
[80, 443] will only allow requests to the specified IPs on ports 80 and 443 (typically HTTP and HTTPS, respectively). Requests to any other port will be blocked.
If not specified, requests to a given IP may be to any port.
ips property is specified, requests to any IP address are permitted on the specified port(s).
It is possible to define an arbitrary number of allowed firewall rules, as in the example above. If multiple rules are specified, a given outbound request will be allowed if it matches ANY of the defined rules.
That means that, for this configuration:
firewall: outbound: - ips: ["22.214.171.124/32"] ports:  - ports: 
Requests to port 80 on any IP will be allowed, and requests to 126.96.36.199 on either port 80 or 443 will be allowed, even though the first rule only lists port 443.
Be aware that many services your application may wish to connect to will be using a domain name that is not on a fixed IP address, or is load-balanced between multiple IP addresses. You will need to contact the administrator of that service in order to determine the correct IP addresses to allow.
Also be aware that many services are behind a Content Delivery Network (CDN). For most CDNs, routing is done via domain name, not IP address, so thousands of domain names may share the same public IP addresses at the CDN. If you allow the IP address of a CDN, you will in most cases be allowing many or all of the other customers hosted behind that CDN. That has security implications and limits the usefulness of this configuration option.