Skip to content

Lock down with firewalls

A pod with no firewall is reachable by anyone. For a staging site, an internal admin tool, or a database pod you connect to directly, that's too open. A firewall fixes it: it's an IP allow-list that lets only the addresses you name reach the pod, and blocks the rest.

Firewalls filter by source IP only

A firewall rule is just a source IP or CIDR - there are no ports, protocols, or directions. If an address is on the list it can reach every public port on the pod; if it isn't, it reaches none of them. You can't open web traffic to the world while restricting SSH on the same pod. (For that, keep the pod private on a network instead.)

Goal

Make one pod reachable only from your own IP (and your office), and block everyone else.

1. Find your public IP

bash
curl ifconfig.me

Note the result - let's call it 203.0.113.42.

2. Create the firewall

In the console: Firewalls -> New firewall

  • Name: allow-my-ips
  • Rules:
    • 203.0.113.42/32 - Home IP
    • 198.51.100.0/24 - Office range (optional)

Save. A firewall holds 1 to 15 rules.

3. Attach it to your pod

Firewalls attach from the pod side. Open the pod's Networking tab (or pick the firewall when you create the pod), set it to allow-my-ips, and save.

It takes effect within seconds. No reboot needed.

4. Verify

From an allowed address, connect using the host and port on the pod's Connection tab:

bash
ssh -p <ssh-port> ubuntu@your-pod.microapps.io   # works from your home IP

Now try from a different network (a phone hotspot is easiest):

bash
ssh -p <ssh-port> ubuntu@your-pod.microapps.io   # should hang, then time out

Blocked addresses can't reach any port on the pod, which is the whole point.

What if your home IP changes?

If you're on a dynamic IP, you have options:

  • Update the rule when it changes - the console makes it a two-second edit.
  • Use a VPN with a static egress IP and allow that range instead.
  • Use the browser-based console - it works over HTTPS, so it doesn't depend on your IP being on the list.

Going further

  • Database pods: don't expose them at all. Put the database and the app pod on a shared private network and let the app reach it over private addresses. No public port, no firewall rule to maintain.
  • Public web apps: if the whole world should reach it, a firewall isn't the tool (it can't single out web ports). Leave the pod open, or front it with a mapped domain and keep any admin-only pods locked down separately.
  • Per-environment firewalls: different allow-lists for staging vs prod.
  • Scripting: see the firewalls API reference.

Built for the long tail.