Skip to content

Networks & firewalls

Two related but distinct tools. Networks group pods so they can talk privately. Firewalls decide which source IPs are allowed to reach a pod. Both attach to a pod from the pod side.

Networks

A network is a private, region-scoped network with its own CIDR block. Pods on the same network reach each other directly - on private IPs and private hostnames, using internal service ports (no port mapping, no public internet round-trip).

Create a network

  1. Networks -> New network.
  2. Give it a name and a private CIDR block (e.g. 10.20.0.0/24). Private means 10.x (prefix /8 to /30), 172.16-31.x (/12 to /30), or 192.168.x (/16 to /30).
  3. Pick the region. A network only holds pods from that same region.
  4. Save. The network provisions in the background and is ready in seconds.

Attach a pod

Pods join from the pod side: pick the network when you create the pod, or from the pod's Networking tab later. The pod gets a private IP in the range and a private hostname (shown in its Connection Strings tab). The pod and network must be in the same region.

Skip the network picker at creation and the pod gets an auto-created network of its own. Pods only talk privately when they share the same network - so for a multi-pod setup, create one network and put them all on it.

Talking between pods on the same network

From inside one pod, reach a same-network neighbour by its private hostname on the internal service port:

bash
ssh ubuntu@web-pod              # SSH on internal port 22
mysql -h db-pod -P 3306 -u root -p
curl http://api-pod:3000/health

No external port needed - those are only for connections coming in from the public internet.

Why use them

  • Run a database in a private pod and expose only the web pod to the internet.
  • Build a multi-pod app where workers talk to a queue privately.
  • Skip the external-port mapping shuffle for internal traffic.
  • Give staging and prod their own networks.

Networks are free.

Firewalls

A firewall is an IP allow-list. Each rule is a source IP or CIDR plus a description - that's it. No ports, no protocols, no directions. Only listed addresses can reach the pod; everyone else is blocked. Leave the firewall picker blank at pod creation and the pod gets an auto-created allow-all firewall - open to everyone until you tighten or replace it.

Create a firewall

  1. Firewalls -> New firewall.
  2. Add 1 to 15 rules. Each rule is a CIDR + description (e.g. 203.0.113.42/32 - my home IP).
  3. Save.

Attach to a pod

Firewalls attach from the pod side too: pick one when you create the pod, or from the pod's Networking tab. Only traffic from a listed address is allowed. Changes take effect within seconds, no reboot.

Common patterns

  • Lock a pod to just you. One rule: your home IP /32. Add your office range as a second rule.
  • Fully public. One rule: 0.0.0.0/0 (or don't attach a firewall at all).
  • Office VPN only. One rule: your VPN's egress range.

Because rules have no port, you can't open web traffic while restricting SSH on the same pod - the allow-list covers every port together. To keep a database off the public internet, put it on a private network rather than exposing it and filtering. Firewalls are free.

API

Built for the long tail.