Automated network security
This feature is only available in our Growth tier
One of the silent benefits of using Architect’s dependency management features is the ability for our platform to generate network policies automatically with each deployment. Architect automatically reads in references to service interfaces to determine which applications are designed to communicate with one another, and uses that metadata to enrich deployments with strict, zero-trust network policies.
Check out our blog to learn more about Zero-trust networking
This feature only works for remote environments since local environments aren’t accessible to the public web
Unlike for internal services, Architect has no idea who the intended users are for external services exposed via ingress rules. By default, the API gateway is configured to allow traffic from everywhere.
However, there are some cases where you’d want to limit who can access your applications. Architect ingress rules can be configured individually to allow traffic only from specific IP addresses or CIDR blocks.
services: frontend: interfaces: app: port: 8080 ingress: ip_whitelist: - 100.100.100.100 - 10.0.0.0/16
Requires extra steps for AWS EKS clusters
If you’re deploying your component to a private, EKS cluster, you’ll need to do one extra step to ensure that the cluster API gateway receives the correct IP addresses from AWS.
Login to your AWS dashboard and find the target groups that were created by the EKS cluster with the prefix,
k8s-arcmanag-traefik. For each group, click on the
Attributes tab and make sure that
Proxy protocol v2 and
Preserve client IP addresses are set to
Getting “Forbidden” even though my IP address is allowed
Stuck getting a “Forbidden” message even though you’ve provided a valid IP address in the
ip_whitelist field? The first thing you need to confirm is whether or not you’re actually using the right IP address. To see what IP address is visible externally, go to whatsmyip.org.
Another reason you could be seeing this is if “proxy protocol” is not enabled on your load balancer. If you’re deploying to your own cluster instead of Architect Cloud, be sure that your cloud provide supports “proxy protocol” for their load balancers and double check to make sure that it is enabled for yours. Every provider has different methods for enabling the feature, so please refer to your cloud provider’s documentation for further instructions.