# Firewall Management Proper firewall management is a cornerstone of a secure integration environment. Frends is designed with a security-first architecture that provides robust controls for managing network traffic, whether your agents are in the cloud or behind your own corporate firewall. ## Network Architecture and Segmentation Frends operates a multi-tier architecture that separates public-facing components from internal systems. All traffic is encrypted using TLS 1.2 or higher. IP restrictions can be used to limit network access based on the customer needs. All network access is logged centrally. Cloud to On-premise VPNs are available in specific tiers of Frends subscription. ## On-Premises Agent Firewall Configuration A key feature of Frends' hybrid capability is the on-premises Agent, which executes Processes securely behind your firewall. The Agent initiates an outbound connection to the Frends Cloud over an encrypted link using TLS 1.2. This means you typically do not need to open inbound ports from the internet to your network for the Agent to function, significantly reducing your attack surface. However, if an on-premises Agent is used to host an API or receive HTTP-triggered executions, you may need to create an inbound firewall rule on the Agent's host server to allow traffic on the configured HTTPS ports. The Frends Agent installer will warn about the need if it won't open the ports automatically that are set in Frends Agent settings in your Frends Tenant. ## IP Allowlisting for Enhanced Security Frends supports IP allowlisting to further restrict access to your resources. For tenants hosted in specific secure environments like Cleura, IP allowlisting is a mandatory security measure for enabling features like the Platform API. In these cases, you must provide Frends Support with the public IP addresses that require access to the UI and the public IPs of any on-premises Agents. You can also implement IP allowlisting logic directly within your Frends Processes. For any Process started with an HTTP Trigger, you can inspect the caller's IP address using the `#trigger.data.httpClientIp` reference. By comparing this IP against a list of allowed addresses stored in an Environment Variable, you can build a dynamic and secure allowlisting rule inside your integration logic. ## Static IP Addresses for Cloud Agents All Frends Cloud Agents come with static public IP addresses by default. This means the outbound IP address your Cloud Agent uses for external HTTP or HTTPS requests stays constant over time. Unlike Azure's default behavior where public IPs can change, Frends explicitly reserves static IPs for all Cloud Agents, so you can safely whitelist them in your firewall rules without worrying about connection failures. This is particularly useful when integrating with external systems that enforce IP-based access control. The IP won't change during agent restarts, updates, or scaling operations, so once you've configured your firewall rules, they'll continue working reliably. ## Firewall Rules for Agent-to-Agent Communication When using a Gateway Agent to proxy requests to a backend Agent Group, network connectivity between them is crucial. Firewalls on the Agent servers or in the network must be configured to allow the Gateway Agent to reach the backend Agents on their designated ports, such as 443 for HTTPS connections. You can use network troubleshooting tools like `curl`, `nmap` or `Test-NetConnection` from the gateway server to verify that a TCP connection can be established to the backend Agents. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.frends.com/security/firewall-management.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.