The internal firewall rules for a workload can be configured to allow inbound access from other workloads in the same org.
Allowing this type of access decreases the latency of your workloads by making the request in the most direct path possible and increases security by validating the client certificate of the remote workload. Calling the endpoint of a service follows a specific URL syntax that is comprised of the workload name and GVC name.
The internal firewall settings are part of the firewall options of a workload and can be set to one of the following types:
None
Same GVC
Same Org
Specific Workloads
inboundAllowWorkload
, including workloads from other GVC's,
are allowed access to this workload.localhost
doesn't require this setting and will force the request to
the current workload. By using this setting and sending the request using the service endpoint syntax,
the request will be routed to all replicas instead of only the local one.Internal workload to workload traffic that spans GVC's may also span locations and will incur egress charges.
Once inbound access has been allowed on a workload, the following syntax is used when calling the workload from another workload:
http://WORKLOAD_NAME.GVC_NAME.cpln.local[:PORT]
PORT
is optional.To configure the internal firewall rules using the console:
Workloads
in the left menu and click the workload to be configured.Firewall Config
and scroll to the Internal
section.Inbound Allow Type
dropdown and select the inbound access for this workload.Save
button at the bottom of the page.After clicking save, the rule will be enforced within a minute and a new deployment of the workload will be queued.
To modify the internal firewall rule with the CLI, use the workload edit command.
copycpln workload edit WORKLOAD_NAME --org ORG_NAME --gvc GVC_NAME
internal
under the firewallConfig
sectioninboundAllowType
property to one of the following (case sensitive) values:none
same-gvc
same-org
workload-list
If workload-list
is selected, update the inboundAllowWorkload
property with the names of the allowed workloads using the
format:
copy/org/ORG_NAME/gvc/GVC_NAME/workload/WORKLOAD_NAME
If you want to allow the workload the ability to call itself, the WORKLOAD_NAME
will be the same as the name
of the workload.
A quick start demonstrating service-to-service calls is available here.