Documentation Index
Fetch the complete documentation index at: https://docs.controlplane.com/llms.txt
Use this file to discover all available pages before exploring further.
Overview
The internal firewall rules for a workload can be configured to allow inbound access from other workloads in the same org. Allowing this type of access decreases the latency of your workloads by making the request in the most direct path possible and increases security by validating the client certificate of the remote workload. Calling the endpoint of a service follows a specific URL syntax that uses the workload name and GVC name.Prerequisites
- Have permissions to edit a workload.
- Optional: Install the CLI.
Internal Firewall
The internal firewall settings are part of the firewall options of a workload and can be set to one of the following types:NoneSame GVCSame OrgWorkload List- Only specific workloads listed in
inboundAllowWorkload, including workloads from other GVCs, are allowed access to this workload. - With this rule selected, the workload can be set to allow replicas of itself to access itself by enabling the
Allow Access To Itselfbutton. Calling a workload usinglocalhostdoesn’t require this setting and will force the request to the current workload. By using this setting and sending the request using the service endpoint syntax, the request will be routed to all replicas instead of only the local one. - If using KEDA, enable the
Allow KEDA Accessbutton. See KEDA autoscaling for details.
- Only specific workloads listed in
Same GVC and Workload List- A combination of the
Same GVCandWorkload List.
- A combination of the
Internal workload to workload traffic that spans GVCs may also span locations and will incur egress charges.
Service Endpoint Syntax
Once inbound access has been allowed on a workload, the following syntax is used when calling the workload from another workload:Syntax
- If
PORTis omitted, the first port listed in the target workload’s container array is used as the default port forhttprequests. - Internal communication works with
gRPC,HTTP,HTTP2, andTCP. - Requests are initiated using plaintext communication. A sidecar service initiates TLS on behalf of the workload.
- Control Plane enforces mutual TLS (mTLS) for all internal workload-to-workload communication.
- Headers may optionally be used on the receiving workload to verify that the communication was encrypted.
- Only the ports listed in the workload containers array will be made accessible to other workloads.
Configure internal firewall using the Console
To configure the internal firewall rules using the Console:- Click
Workloadsin the left menu, then select the workload to configure. - Click
Firewall, then click theInternaltab. - Click the
Inbound Allow Typedropdown and select the inbound access for this workload. - Click
Update.
Configure internal firewall using the CLI
To modify the internal firewall rule with the CLI, use the workload edit command.- Run the following command to open the workload metadata in your default text editor:
- Scroll down to the
internalsection underfirewallConfig. - Update the
inboundAllowTypeproperty to one of the following (case sensitive) values:nonesame-gvcsame-orgworkload-list
inboundAllowWorkload. Use this with workload-list, or with same-gvc when you want to allow all workloads in the same GVC plus specific workloads from other GVCs.
Format
To allow a workload to call itself, use that workload’s own name for
WORKLOAD_NAME.- Save the file. If the save is successful, the new rules will be applied within a minute and a deployment of the workload will be queued.