Skip to content

Firewalls

A firewall is an IP allow-list attached to a pod. Only traffic from the listed addresses can reach the pod. Everything else is dropped.

That is the entire model. A firewall rule is a source IP or CIDR plus a description - nothing more. There are no ports, no protocols, and no directions to configure. If an address is on the list, it can reach every public port on the pod; if it is not, it reaches none of them.

Rule format

Each rule is a CIDR (or a bare IP) and a description:

CIDRDescription
203.0.113.42/32My home IP
198.51.100.0/24Office range
0.0.0.0/0Everyone (allow all)

A firewall holds 1 to 15 rules. 0.0.0.0/0 means "allow the whole internet", which is the effective default for a pod with no firewall.

Attaching to a pod

Firewalls attach from the pod side - pick one when you create the pod, or from the pod's Networking tab later. A pod has one firewall at a time. Changes take effect within seconds, no reboot needed.

Common patterns

  • Lock a pod to just you: one rule with your home IP /32. Add your office range as a second rule if needed.
  • Fully public: a single 0.0.0.0/0 rule (or no firewall at all).
  • Office VPN only: one rule with your VPN's egress range.

Because rules do not carry ports, you cannot use a firewall to open web traffic while restricting SSH on the same pod - the allow-list covers all ports together. To keep a database off the public internet, put it on a private network instead of exposing it and filtering.

Notes

  • Firewalls are free.
  • Firewall names are unique within your account.

See also

Built for the long tail.