Configuring Instance Security

Security rules control who can access your instance. Like the rules of an inbound network firewall, you can specify the protocols, ports, and source IP ranges that are allowed to reach your instance.

When configuring security rules, keep in mind the following:

  • You can add and remove rules at any time. Your changes are automatically applied to the instance.
  • You cannot modify an existing rule; you must delete the rule and add a new rule.
  • Security rules in FME Cloud are always permissive; you cannot create rules that deny access.
  • Rules are specific to an instance.

For each rule, you specify the following:

  • The protocol to allow (for example, TCP or UDP).
  • The range of ports to allow.
  • One of the following sources of inbound traffic to allow:
    • An individual IP address, in CIDR notation. Be sure to use the /32 prefix after the IP address; if you use the /0 prefix after the IP address, the port is open to everyone. For example, specify the IP address 203.0.113.1 as 203.0.113.1/32.
    • An IP address range, in CIDR notation (for example, 203.0.113.0/24).

If there is more than one rule for a specific port, the most permissive rule applies. For example, if you have a rule that allows access to TCP port 5432 (Database) from IP address 203.0.113.1 and another rule that allows access to port 5432 from any IP (0.0.0.0/0), everyone has access to TCP port 5432.

Default Security Rules

On launch, your FME Cloud instance has a set of security rules applied to it. The following are the initial settings for each instance:

  • The following ports are open to inbound traffic: 25 (e-mail), 80 (web), 443 (WebSocket) and 8998 (real-time logging). Port 22 is not configurable, as we do not allow SSH onto the instance.
  • All outbound traffic is allowed from the instance.

Deleting a Security Rule

  1. Go to the FME Cloud dashboard (https://console.fmecloud.safe.com/instances).
  2. Select the instance for which you want to configure security.
  3. The bottom panel provides information about that instance. Click on the Security tab.
  4. On the left are the default permissions for the instance. Click on the trash can next to any rule to remove it. For example, if you delete port 5432, then you are no longer able to connect to the PostGIS database.

Adding a Security Rule

In the following example, we add a rule to ensure the PostGIS database is accessible only from your local IP address:

  1. Go to the FME Cloud dashboard (https://console.fmecloud.safe.com/instances).
  2. Select the instance for which you wish to configure security.
  3. The bottom panel provides information about that instance. Click on the Security tab.
  4. Follow the instructions to delete the 5432 port permission in the previous section.
  5. On the right, under New inbound Permissions, enter tcp for the protocol. Under Port range enter 5432. Under Source, enter your IP address (for example, 203.0.113.0/24).
  6. Click Add Rule.

A rule is now applied that ensures only machines with an IP address of 203.0.113.0/24 can connect to the database on port 5432.