Hi, What type of firewall does Render use for it’s services?
We use several hardware and software technologies to handle unwanted network connections including but not limited to:
- ufw or equivalent
- iptables, eBPF
- Kubernetes network policies
- Cloud provider-specific network ACLs
The mix is always changing as we adjust our implementation and improve our security posture.
How exactly does this firewall that you have implemented work? I am receiving brute force attacks on IPs from cloud service providers like Azure or AWS. These IP ranges should be in this firewall, right? I think this should not reach my application.
AWS and Azure IP addresses are not blocked from making requests to public services hosted on Render.
I can somehow manipulate the firewall of the server in front of my application to limit requests to my website from some ip ranges such as cloud service ip ranges. I am currently blocking these ips from my application but it would be even better if I could prevent these requests from arriving, since it would be something that my application would not have to process. I don’t think a normal user would use an IP from a cloud-hosted service to connect to a website. So I think it would be useful to be able to prevent criminals from carrying out attacks like the ones I am receiving. I thought I wouldn’t have to worry about these things here in render.
There are bad actors on every network, ISP ranges, hosted service ranges (AWS, Azure, GCP, etc.), etc. However, there are also normal users on every network. Render does not block whole networks outright as that would prevent visitors from accessing services on Render.
Render’s firewall rules have more to do with request data, rather than only the requestor’s IP address itself.
If you would like to block whole networks external to your service on Render, you can use a WAF for your domain and establish those blocks yourself.