Firewall Management

Proper firewall management is a cornerstone of a secure integration environment. Frends is designed with a security-first architecture that provides robust controls for managing network traffic, whether your agents are in the cloud or behind your own corporate firewall.

Network Architecture and Segmentation

The Frends Platform is built on a multi-tier architecture that segregates internal application systems from the public internet. All network access, both within our data centers and between the data center and external services, is restricted by strict firewall and routing rules. This layered defense model ensures that critical components are not directly exposed and that all network traffic is controlled and monitored.

On-Premises Agent Firewall Configuration

A key feature of Frends' hybrid capability is the on-premises Agent, which executes Processes securely behind your firewall. The Agent initiates an outbound connection to the Frends Cloud over an encrypted link using TLS 1.2. This means you typically do not need to open inbound ports from the internet to your network for the Agent to function, significantly reducing your attack surface.

However, if an on-premises Agent is used to host an API or receive HTTP-triggered executions, you nay need to create an inbound firewall rule on the Agent's host server to allow traffic on the configured HTTPS ports. The Frends Agent installer will warn about the need if it won't open the ports automatically that are set in Frends Agent settings in your Frends Tenant.

IP Whitelisting for Enhanced Security

Frends supports IP whitelisting to further restrict access to your resources. For tenants hosted in specific secure environments like Cleura, IP whitelisting is a mandatory security measure for enabling features like the Platform API. In these cases, you must provide Frends Support with the public IP addresses that require access to the UI and the public IPs of any on-premises Agents.

You can also implement IP whitelisting logic directly within your Frends Processes. For any Process started with an HTTP Trigger, you can inspect the caller's IP address using the #trigger.data.httpClientIp reference. By comparing this IP against a list of allowed addresses stored in an Environment Variable, you can build a dynamic and secure whitelisting rule inside your integration logic.

Firewall Rules for Agent-to-Agent Communication

When using a Gateway Agent to proxy requests to a backend Agent Group, network connectivity between them is crucial. Firewalls on the Agent servers or in the network must be configured to allow the Gateway Agent to reach the backend Agents on their designated ports, such as 443 for HTTPS connections. You can use network troubleshooting tools like curl, nmap or Test-NetConnection from the gateway server to verify that a TCP connection can be established to the backend Agents.