Environment Network Isolation
The Network Isolation feature manages the default access rules between environments inside a single PaaS installation (i.e. connectivity over the internal network).
This way, each internal connection between nodes on the platform needs to pass the proper check-up before being allowed. Namely, it is verified that the requesting and requested environments belong to the same isolated group.
Private Network Isolation
If the Network Isolation feature is enabled on the platform, all accounts are isolated from each other by default. In such a case, the connection between environments on different user accounts can be established only if configured explicitly on both ends.
Additionally, the feature allows developers to isolate groups of environments within a particular account. Just turn on the Network Isolation switcher in the Add/Edit Group frame.
The platform automatically unites the containers' internal addresses into a dedicated IP set for each isolated group. This allows controlling access between nodes (i.e. if IPs are within the same set - interconnection is permitted, and if not - denied). The platform automatically detects all the related changes under your account (e.g. environment removal, nodes scaling, etc.) to keep IP sets up-to-date.
While managing Network Isolation, you should consider the following peculiarities:
- isolation can be enabled for the top-level group only (i.e. not for subgroups)
- environment groups with enabled isolation are provided with a custom shield icon ( ) for better recognition
- shared environments can not be included into isolated groups by collaborators
- this feature is not suitable to limit the access to your containers from outside of the platform (e.g. via public IP)
Using Network Isolation
Summing all this up, Network Isolation is a useful and user-oriented feature aimed to prevent undesired access to your environments. Commonly, it’s a good practice to isolate your applications from each other. For example:
If you need to share access to your application or database with a third-party employee or company, you’ll be sure that containers inside the isolated group won’t be accessible via the platform’s internal network
If you are cloning an initially isolated project, it will be protected from the clone’s influence (e.g. if your copied project inherited a “hardcoded” database access, it will be disabled by the network Isolation feature so that the actual production data could not be changed)
This way, the Network Isolation feature can separate projects on a single account and prevent undesired interconnections between them.