Tier availability

This feature is only available to Elite and Enterprise customers. Compare the Platform.sh tiers on our pricing page, or contact our sales team for more information.

In some situations, compliance regulations may require you to limit outbound traffic from your application. The firewall property allows you to do so.

This setting has no impact on inbound requests to your application. For that, use the environment access control settings in the Management Console.

Syntax 

The firewall property defines one or more allowed entries for outbound requests. Its basic syntax is as follows:

firewall:
  outbound:
    - protocol: tcp
      domains: ["google.com", "facebook.com"]
      ports: [80, 443]
    - protocol: tcp
      ips: ["1.2.3.4/32"]
      ports: [22]

The above example allows two outbound rules over TCP. All other outbound requests will be blocked and will time out eventually (usually after 30 seconds).

If no rules are specified, the default firewall configuration is equivalent to:

firewall:
  outbound:
    - protocol: tcp
      ips: ["0.0.0.0/0"]

That is, all outbound TCP traffic is allowed on all ports (aside from port 25, which is always blocked without exception). In the majority of cases the default is sufficient for most applications.

Options 

Each firewall rule has three configuration values. At least one of ips, domains or ports is required.

protocol 

The default and only legal value for the protocol is tcp. Outbound UDP ports are not allowed. As a result this property can be omitted in virtually every circumstance.

ips 

This property is an array of IP addresses in CIDR notation. CIDR allows you to specify a range of IP addresses in a compact format, using a bitmask. Most commonly the bitmask is 8, 16, or 32 but that is not required.

For example, 1.2.3.4/8 will match any IP address whose first 8 bits match 1.2.3.4, which corresponds to the first segment. Therefore it will allow 1.*.*.*. In comparison, 1.2.3.4/24 will allow 1.2.3.*. A mask of 32 will match only the IP address specified, so to allow a single specific IP you must write 1.2.3.4/32.

IP Address Guide has a useful CIDR format calculator.

If no ports property is specified, requests to any port on the specified IP addresses are permitted.

domains 

This property is an array of fully qualified domain names FQDN. FQDN allows you to specify specific destinations by hostnames.

If no ports property is specified, requests to any port on IP addresses the listed domains resolve to are permitted.

ports 

This property is an array of ports in the range 1 to 65535 that are allowed. For example, [80, 443] will only allow requests to the specified IPs on ports 80 and 443 (typically HTTP and HTTPS, respectively). Requests to any other port will be blocked.

If not specified, requests to a given IP may be to any port.

If no ips or domains property is specified, requests to any destination are permitted on the specified port(s).

Multiple rules 

It is possible to define an arbitrary number of allowed firewall rules, as in the example above. If multiple rules are specified, a given outbound request will be allowed if it matches ANY of the defined rules.

That means that, for this configuration:

firewall:
  outbound:
    - ips: ["1.2.3.4/32"]
      ports: [443]
    - ports: [80]

Requests to port 80 on any IP will be allowed, and requests to 1.2.3.4 on either port 80 or 443 will be allowed, even though the first rule only lists port 443.

Usage considerations 

Be aware that many services are behind a Content Delivery Network (CDN). For most CDNs, routing is done via domain name, not IP address, so thousands of domain names may share the same public IP addresses at the CDN. If you allow the IP address of a CDN, you will in most cases be allowing many or all of the other customers hosted behind that CDN. That has security implications and limits the usefulness of this configuration option.