Configuring Instance Security

Security permissions control who can access your instance. Like the rules of an inbound network firewall, you can specify the protocols, ports, and source IP ranges that are allowed to reach your instance.

When configuring security permissions, keep in mind the following:

  • You can add and remove permissions at any time. Your changes are automatically applied to the instance.
  • You cannot modify an existing permission; you must delete the rule and add a new permission.
  • Security rules in FME Flow Hosted are always permissive; you cannot create rules that deny access.
  • Permissions are specific to an instance.

For each permission, you specify the following:

  • The protocol to allow (for example, TCP or UDP).
  • The range of ports to allow.
  • One of the following sources of inbound traffic to allow:
    • An individual IP address, in CIDR notation. Be sure to use the /32 prefix after the IP address; if you use the /0 prefix after the IP address, the port is open to everyone. For example, specify the IP address 203.0.113.1 as 203.0.113.1/32.
    • An IP address range, in CIDR notation (for example, 203.0.113.0/24).
      • Note  IPv6 addresses are not supported. The IP address must be IPv4.

If there is more than one permission for a specific port, the most permissive rule applies. For example, if you have a permission that allows access to TCP port 5432 (Database) from IP address 203.0.113.1 and another permission that allows access to port 5432 from any IP (0.0.0.0/0), everyone has access to TCP port 5432.

Default Security Permissions

On launch, your FME Flow Hosted instance has a set of security permissions applied to it. The following are the initial settings for each instance:

  • The following ports are open to inbound traffic: 25 (e-mail), and 443 (WebSocket). Port 22 is not configurable, as we do not allow SSH onto the instance.
  • All outbound traffic is allowed from the instance.

Deleting a Security Permission

  1. From the Instances page, select the instance for which you want to configure security.
  2. Click on the Security tab.
  3. Click the ellipsis (...) beside any permission and select Delete.

Adding a Security Permission

In the following example, we add a permission to ensure the PostGIS database is accessible only from your local IP address:

  1. From the Instances page, select the instance for which you want to configure security.
  2. Click on the Security tab.
  3. Click Add Permission.
  4. In the Add Inbound Permission dialog, select TCPfor the Protocol. Under Port range enter 5432. Under Source, enter your IP address (for example, 203.0.113.0/24).
  5. Click Add Permission.

A permission is now applied that ensures only machines with an IP address of 203.0.113.0/24 can connect to the database on port 5432.