Appearance
Lock down with firewalls
A pod with no firewall is reachable by anyone. For a staging site, an internal admin tool, or a database pod you connect to directly, that's too open. A firewall fixes it: it's an IP allow-list that lets only the addresses you name reach the pod, and blocks the rest.
Firewalls filter by source IP only
A firewall rule is just a source IP or CIDR - there are no ports, protocols, or directions. If an address is on the list it can reach every public port on the pod; if it isn't, it reaches none of them. You can't open web traffic to the world while restricting SSH on the same pod. (For that, keep the pod private on a network instead.)
Goal
Make one pod reachable only from your own IP (and your office), and block everyone else.
1. Find your public IP
bash
curl ifconfig.meNote the result - let's call it 203.0.113.42.
2. Create the firewall
In the console: Firewalls -> New firewall
- Name:
allow-my-ips - Rules:
203.0.113.42/32-Home IP198.51.100.0/24-Office range(optional)
Save. A firewall holds 1 to 15 rules.
3. Attach it to your pod
Firewalls attach from the pod side. Open the pod's Networking tab (or pick the firewall when you create the pod), set it to allow-my-ips, and save.
It takes effect within seconds. No reboot needed.
4. Verify
From an allowed address, connect using the host and port on the pod's Connection tab:
bash
ssh -p <ssh-port> ubuntu@your-pod.microapps.io # works from your home IPNow try from a different network (a phone hotspot is easiest):
bash
ssh -p <ssh-port> ubuntu@your-pod.microapps.io # should hang, then time outBlocked addresses can't reach any port on the pod, which is the whole point.
What if your home IP changes?
If you're on a dynamic IP, you have options:
- Update the rule when it changes - the console makes it a two-second edit.
- Use a VPN with a static egress IP and allow that range instead.
- Use the browser-based console - it works over HTTPS, so it doesn't depend on your IP being on the list.
Going further
- Database pods: don't expose them at all. Put the database and the app pod on a shared private network and let the app reach it over private addresses. No public port, no firewall rule to maintain.
- Public web apps: if the whole world should reach it, a firewall isn't the tool (it can't single out web ports). Leave the pod open, or front it with a mapped domain and keep any admin-only pods locked down separately.
- Per-environment firewalls: different allow-lists for staging vs prod.
- Scripting: see the firewalls API reference.