firewall
Back to home
On this page
A firewall dictionary that defines the outbound firewall rules for the application.
Optional in single-runtime and composable images.
This property enables you to set limits in outbound traffic from your app with no impact on inbound requests.
The outbound key is required and contains one or more rules.
The rules define what traffic is allowed; anything unspecified is blocked.
Each rule has the following properties where at least one is required and ips and domains can’t be specified
together:
| Name | Type | Default | Description |
|---|---|---|---|
ips |
string array |
["0.0.0.0/0"] |
IP addresses in CIDR notation. See a CIDR format converter. |
domains |
string array |
Fully qualified domain names to specify specific destinations by hostname. | |
ports |
integer array |
Ports from 1 to 65535 that are allowed. If any ports are specified, all unspecified ports are blocked. If no ports are specified, all ports are allowed. Port 25, the SMTP port for sending email, is always blocked. |
The default settings would look like this:
applications:
APP_NAME:
type: 'python:3.13'
source:
root: "/"
firewall:
outbound:
- ips: [ "0.0.0.0/0" ]applications:
APP_NAME:
type: "composable:25.05"
source:
root: "/"
stack:
runtimes: [ "python@3.13" ]
firewall:
outbound:
- ips: [ "0.0.0.0/0" ] Support for rules 
Where outbound rules for firewalls are supported in all environments.
Multiple rules
Multiple firewall rules can be specified. In such cases, a given outbound request is allowed if it matches any of the defined rules.
So in the following example requests to any IP on port 80 are allowed and requests to 1.2.3.4 on either port 80 or 443 are allowed:
applications:
APP_NAME:
type: 'python:3.13'
source:
root: "/"
firewall:
outbound:
- ips: [ "1.2.3.4/32" ]
ports: [ 443 ]
- ports: [ 80 ]applications:
APP_NAME:
type: "composable:25.05"
source:
root: "/"
stack:
runtimes: [ "python@3.13" ]
firewall:
outbound:
- ips: [ "1.2.3.4/32" ]
ports: [ 443 ]
- ports: [ 80 ] Outbound traffic to CDNs
Be aware that many services are behind a content delivery network (CDN). For most CDNs, routing is done via domain name, not IP address, so thousands of domain names may share the same public IP addresses at the CDN. If you allow the IP address of a CDN, you are usually allowing many or all of the other customers hosted behind that CDN.
Outbound traffic by domain
You can filter outbound traffic by domain. Using domains in your rules rather than IP addresses is generally more specific and secure. For example, if you use an IP address for a service with a CDN, you have to allow the IP address for the CDN. This means that you allow potentially hundreds or thousands of other servers also using the CDN.
An example rule filtering by domain:
applications:
APP_NAME:
type: 'python:3.13'
source:
root: "/"
firewall:
outbound:
- protocol: tcp
domains: [ "api.stripe.com", "api.twilio.com" ]
ports: [ 80, 443 ]
- protocol: tcp
ips: [ "1.2.3.4/29","2.3.4.5" ]
ports: [ 22 ]applications:
APP_NAME:
type: "composable:25.05"
source:
root: "/"
stack:
runtimes: [ "python@3.13" ]
firewall:
outbound:
- protocol: tcp
domains: [ "api.stripe.com", "api.twilio.com" ]
ports: [ 80, 443 ]
- protocol: tcp
ips: [ "1.2.3.4/29","2.3.4.5" ]
ports: [ 22 ] Determine which domains to allow
To determine which domains to include in your filtering rules,
find the domains your site has requested the DNS to resolve.
Run the following command to parse your server’s dns.log file
and display all Fully Qualified Domain Names that have been requested:
awk '/query\[[^P]\]/ { print $6 | "sort -u" }' /var/log/dns.logThe output includes all DNS requests that were made, including those blocked by your filtering rules. It doesn’t include any requests made using an IP address.
Example output:
facebook.com
fastly.com
upsun.com
www.google.com
www.upsun.com