Allowing this type of access decreases the latency of your workloads by making the request in the most direct path possible and increases security by validating the client certificate of the remote workload. Calling the endpoint of a service follows a specific URL syntax that is comprised of the workload name and GVC name.
inboundAllowWorkload, including workloads from other GVC's,
are allowed access to this workload.
localhost doesn't require this setting and will force the request to
the current workload. By using this setting and sending the request using the service endpoint syntax,
the request will be routed to all replicas instead of only the local one.
Only the ports listed in the workload containers array will be made accessible to other workloads.
Internal workload to workload traffic that spans GVC's may also span locations and will incur egress charges.
PORT is optional, the first port listed in the target workloads container array will be used as the default port for
To configure the internal firewall rules using the console:
Workloads in the left menu and click the workload to be configured.
Firewall Config and scroll to the
Inbound Allow Type dropdown and select the inbound access for this workload.
Save button at the bottom of the page.
After clicking save, the rule will be enforced within a minute and a new deployment of the workload will be queued.
To modify the internal firewall rule with the CLI, use the workload edit command.
copycpln workload edit WORKLOAD_NAME --org ORG_NAME --gvc GVC_NAME
internal under the
inboundAllowType property to one of the following (case sensitive) values:
workload-list is selected, update the
inboundAllowWorkload property with the names of the allowed workloads using the
A quick start demonstrating service-to-service calls is available here.