I want to configure our firewall to only allow api requests from your service (vs the whole internet), do you have a a list of cidr block(s) that your requests are made from?
Hi @Rylan_Hazelton and welcome in our community !
I’m sorry but could you be a bit more explicit ?
Could you tell me on what you are running ? Forest Admin Cloud ? Self-hosted ?
hello, thank you. I “think” it’s forest admin cloud?
Okey so if I rephrase, you want to configure the firewall of your database ?
yes I would like to restrict the api calls your service makes down to a finite list of ip ranges if possible
During the onboarding, did you click on the left or the right ? And what’s the name of your project please ?
advanced and nommer-metadata
Okey so then there will be no call to your database from our side. Only your agent will do the call.
If you mean you want to restrict the firewall on your backend, then only the frontend (https://app.forestadmin.com) will do request to your backend.
And otherwise a few calls are made by your agent (only out
request) to https://api.forestadmin.com. So allowing this domain accordingly should be enough
Hello @Rylan_Hazelton
When using “advanced setup”, you need to deploy an agent on you own infrastructure (that’s the project that you generated during the onboarding wizard).
From our side, we never have access to your database, its location or credentials to access it.
Actually none of your data ever transit through servers that are under our control.
The CIDR block that you will need to allow on your database credential is the one where you will deploy your agent
hi, basically the same thing for this discussion. your ui at https://app.forestadmin.com/ makes a call to the agent (see the image I posted). I would like to restrict access to the agent to the ip addresses of your service.
this part:
The web application is the one calling the agent directly, your data never transits through our servers (api.forestadmin.com is there to configure the frontend and handle metadata).
The IPs that you need to whitelist on the agent are the IPs of your final users (their home/work internet connections).
We actually have many customers that do not expose the agent to the internet and use it in a LAN only or VPN only environment. That’s a legit deployment use case
Forest admin will work as long as:
- The user’s browsers can reach app.forestadmin.com (the CDN) for static assets
- The user’s browsers can reach api.forestadmin.com for configuration
- The agent can reach api.forestadmin.com and your database
- The user’s browsers can reach the agent
oh! got it, thank you.
By the way, I totally forgot to push for our Pro Plan!
If you don’t want to play around with iptables, you can manage your agent IP whitelisting rules from the web interface.
We also support 2FA and auto-logout