# Firewall Management

Proper firewall management is a cornerstone of a secure integration environment. Frends is designed with a security-first architecture that provides robust controls for managing network traffic, whether your agents are in the cloud or behind your own corporate firewall.

## Network Architecture and Segmentation

Frends operates a multi-tier architecture that separates public-facing components from internal systems. All traffic is encrypted using TLS 1.2 or higher. IP restrictions can be used to limit network access based on the customer needs. All network access is logged centrally.

Cloud to On-premise VPNs are available in specific tiers of Frends subscription.

## On-Premises Agent Firewall Configuration

A key feature of Frends' hybrid capability is the on-premises Agent, which executes Processes securely behind your firewall. The Agent initiates an outbound connection to the Frends Cloud over an encrypted link using TLS 1.2. This means you typically do not need to open inbound ports from the internet to your network for the Agent to function, significantly reducing your attack surface.

However, if an on-premises Agent is used to host an API or receive HTTP-triggered executions, you nay need to create an inbound firewall rule on the Agent's host server to allow traffic on the configured HTTPS ports. The Frends Agent installer will warn about the need if it won't open the ports automatically that are set in Frends Agent settings in your Frends Tenant.

## IP Allowlisting for Enhanced Security

Frends supports IP allowlisting to further restrict access to your resources. For tenants hosted in specific secure environments like Cleura, IP allowlisting is a mandatory security measure for enabling features like the Platform API. In these cases, you must provide Frends Support with the public IP addresses that require access to the UI and the public IPs of any on-premises Agents.

You can also implement IP allowlisting logic directly within your Frends Processes. For any Process started with an HTTP Trigger, you can inspect the caller's IP address using the `#trigger.data.httpClientIp` reference. By comparing this IP against a list of allowed addresses stored in an Environment Variable, you can build a dynamic and secure allowlisting rule inside your integration logic.

## Firewall Rules for Agent-to-Agent Communication

When using a Gateway Agent to proxy requests to a backend Agent Group, network connectivity between them is crucial. Firewalls on the Agent servers or in the network must be configured to allow the Gateway Agent to reach the backend Agents on their designated ports, such as 443 for HTTPS connections. You can use network troubleshooting tools like `curl`, `nmap` or `Test-NetConnection` from the gateway server to verify that a TCP connection can be established to the backend Agents.