firewall

A firewall dictionary that defines the outbound firewall rules for the application.

Optional in single-runtime and composable images.

This property enables you to set limits in outbound traffic from your app with no impact on inbound requests.

The outbound key is required and contains one or more rules. The rules define what traffic is allowed; anything unspecified is blocked.

Each rule has the following properties where at least one is required and ips and domains can’t be specified together:

The default settings would look like this:

applications:
  APP_NAME:
    type: 'python:3.13'
    source:
      root: "/"
    firewall:
      outbound:
        - ips: [ "0.0.0.0/0" ]

applications:
  APP_NAME:
    type: "composable:25.05"
    source:
      root: "/"
    stack: 
      runtimes: [ "[email protected]" ]
    firewall:
      outbound:
        - ips: [ "0.0.0.0/0" ]

Support for rules

Where outbound rules for firewalls are supported in all environments. For Dedicated Gen 2 projects, contact support for configuration.

Multiple rules

Multiple firewall rules can be specified. In such cases, a given outbound request is allowed if it matches any of the defined rules.

So in the following example requests to any IP on port 80 are allowed and requests to 1.2.3.4 on either port 80 or 443 are allowed:

applications:
  APP_NAME:
    type: 'python:3.13'
    source:
      root: "/"
    firewall:
      outbound:
        - ips: [ "1.2.3.4/32" ]
          ports: [ 443 ]
        - ports: [ 80 ]

applications:
  APP_NAME:
    type: "composable:25.05"
    source:
      root: "/"
    stack: 
      runtimes: [ "[email protected]" ]
    firewall:
      outbound:
        - ips: [ "1.2.3.4/32" ]
          ports: [ 443 ]
        - ports: [ 80 ]

Outbound traffic to CDNs

Be aware that many services are behind a content delivery network (CDN). For most CDNs, routing is done via domain name, not IP address, so thousands of domain names may share the same public IP addresses at the CDN. If you allow the IP address of a CDN, you are usually allowing many or all of the other customers hosted behind that CDN.

Outbound traffic by domain

You can filter outbound traffic by domain. Using domains in your rules rather than IP addresses is generally more specific and secure. For example, if you use an IP address for a service with a CDN, you have to allow the IP address for the CDN. This means that you allow potentially hundreds or thousands of other servers also using the CDN.

An example rule filtering by domain:

applications:
  APP_NAME:
    type: 'python:3.13'
    source:
      root: "/"
    firewall:
      outbound:
        - protocol: tcp
          domains: [ "api.stripe.com", "api.twilio.com" ]
          ports: [ 80, 443 ]
        - protocol: tcp
          ips: [ "1.2.3.4/29","2.3.4.5" ]
          ports: [ 22 ]

applications:
  APP_NAME:
    type: "composable:25.05"
    source:
      root: "/"
    stack: 
      runtimes: [ "[email protected]" ]
    firewall:
      outbound:
        - protocol: tcp
          domains: [ "api.stripe.com", "api.twilio.com" ]
          ports: [ 80, 443 ]
        - protocol: tcp
          ips: [ "1.2.3.4/29","2.3.4.5" ]
          ports: [ 22 ]

Determine which domains to allow

To determine which domains to include in your filtering rules, find the domains your site has requested the DNS to resolve. Run the following command to parse your server’s dns.log file and display all Fully Qualified Domain Names that have been requested:

awk '/query\[[^P]\]/ { print $6 | "sort -u" }' /var/log/dns.log

The output includes all DNS requests that were made, including those blocked by your filtering rules. It doesn’t include any requests made using an IP address.

Example output:

facebook.com
fastly.com
platform.sh
www.google.com
www.platform.sh