Hello. Here is a question regarding the Self-hosted server. I am able to register & execute flows from a UI (and others, ofc) server hosted on AWS. But as far as I can tell, so can everyone else on the planet. What is the intended way to protect your self-hosted server against misuse? Is there something akin to the cloud API tokens for the OpenSource UI?

Are tou using a VPC? Another option might be to use an ALB with authentication - someyhing like SSO.

Hi Greg, thanks for the answer. I am using a VPC for both the EC2 instance which hosts the UI server, as well as for the EKS cluster which has prefect agents configured. Unfortunately, at the moment, they are on different VPC's (but this is something which could be sorted out without too much trouble). I have also considered not exposing my VPC at all and instead configure a gateway connection. Would you mind explaining a bit more the idea you have regarding ALB/SSO? All of these solutions should be able to exclude the general public from connection to my Prefect server. Nevertheless, assuming I understood your suggestion appropriately, they also would not help in the sense of user credentials. As a result, all user who has access to the VPC would have full control over the Prefect server's flow registration and scheduling. That is why I was hoping that there would be something akin to Prefect Cloud's API tokens. Do you (any one else) have any thoughts on this?

I have also considered not exposing my VPC at all and instead configure a gateway connection.

The reason a I mention the VPC is to possibly leverage security groups or even the Net ACL to limit ingress IP addresses. If your potential users come from a certain network - say a vpn or corporate lan - you can restruct who can get to the resource. It does get easier if you create a VPC peer type setup.

Great, this gives me a few new directions for me to dig into. Thanks a lot for the help!