Add security policies for ports

You can configure security policies for a service's port. Port security policies apply to all public DNS entries and paths assigned to the port.

To configure a port-wide security policy, expand the custom domains & security rules menu for a port and add a new IP policy, credentials, or select an organisation for SSO access control.

IP policies allow you to either block IP addresses from accessing a port, or to only allow certain IP addresses and exclude all others. You can use this feature to, for example:

• Block the IP ranges of certain countries to meet legal requirements
• Block the IP addresses of malicious actors
• Allow only the IP addresses of your employees or clients to help secure a website or data
• Allow only the IP address for a required external service

You can set IP policies for a specific port from the security rules section of the ports & DNS page of combined and deployment services.

You can enter specific IP addresses or use CIDR blocks to allow or deny ranges of IP addresses. For example, 192.168.0.0/24 would apply your policy to IP addresses in the range 192.168.0.0 - 192.168.0.255.

Allowing an IP address, or a range of addresses, will block all other IP addresses.

Denying an IP address will always take precedence over allowing an IP address, so it isn't possible to deny a range of IP addresses and allow specific ones within that range. You can, however, allow a range of IP addresses and deny specific IP addresses within the range.

You can apply rules to one or multiple ports, and apply different policies to different ports on the same service.

Basic authentication is a simple method to prevent unwanted access to a website or endpoint. If you have added basic authentication to a port users will need to enter a valid username and password in the browser prompt to access your service, or send an authorization header with their HTTP requests.

You can add basic access authentication to a specific port from the security rules section of the ports & DNS page of deployment and combined services.

You can add multiple username and password combinations to the same port.

You can require users to authenticate via your SSO provider before they can access your Northflank service.

You can require SSO authentication for a port on a service by expanding the custom domains & security rules option.

Select your organisation's ID and choose the directory groups you want to be able to access the service via the port.

You can enforce internal traffic through the SSO authentication flow, which means that requests made using private networking will need to authenticate. This applies to other services, as well as any users using port forwarding with the Northflank CLI.

You can allow internal traffic to skip the SSO authentication flow for requests using a public DNS, which includes traffic from the same project or projects with ingress permissions from multi-project networking.

These enforce/allow options are mutually exclusive. The default behaviour allows private networking to skip authentication, but requires authentication for all traffic accessing the port via public endpoints.