Appearance
Firewalls
A firewall is an IP allow-list attached to a pod. Only traffic from the listed addresses can reach the pod. Everything else is dropped.
That is the entire model. A firewall rule is a source IP or CIDR plus a description - nothing more. There are no ports, no protocols, and no directions to configure. If an address is on the list, it can reach every public port on the pod; if it is not, it reaches none of them.
Rule format
Each rule is a CIDR (or a bare IP) and a description:
| CIDR | Description |
|---|---|
203.0.113.42/32 | My home IP |
198.51.100.0/24 | Office range |
0.0.0.0/0 | Everyone (allow all) |
A firewall holds 1 to 15 rules. 0.0.0.0/0 means "allow the whole internet", which is the effective default for a pod with no firewall.
Attaching to a pod
Firewalls attach from the pod side - pick one when you create the pod, or from the pod's Networking tab later. A pod has one firewall at a time. Changes take effect within seconds, no reboot needed.
Common patterns
- Lock a pod to just you: one rule with your home IP
/32. Add your office range as a second rule if needed. - Fully public: a single
0.0.0.0/0rule (or no firewall at all). - Office VPN only: one rule with your VPN's egress range.
Because rules do not carry ports, you cannot use a firewall to open web traffic while restricting SSH on the same pod - the allow-list covers all ports together. To keep a database off the public internet, put it on a private network instead of exposing it and filtering.
Notes
- Firewalls are free.
- Firewall names are unique within your account.