I have a question about securing Prefect. Right now I have a prefect server deployed to an aws instance. I expose port 8080 to grant access to the server, but it's also required that the graphql port 4200 is also exposed due to the client side javascript. However I don't want graphql to be exposed since that allows the user to send arbitrary commands to the prefect server. Is there anyway to just give access to the web UI, but not allow access to graphql?

Hi @Will Milner! There's not currently a way to do this through Prefect Server config, but you could try whitelisting specific IPs/CIDR ranges if you're looking to restrict traffic.

it would require whitelisting on both ports 8080 and 4200 in order for it to work properly (flows for instance would no load without access to port 4200). I would want to give someone access just to the web UI to manually trigger flows and read logs, but not access any of the graphql functionality. I may look into Prefect Cloud for the authorization layer it provides, thanks for the answer Zachary!

Sure thing! If you're looking to try out an auth solution, I'd definitely recommend Cloud-- users/roles/etc work out of the box there. 🙂

In theory you could start the main server in a public subnet , to allow 8080, and the graphql container in a separate instance/container in an isolated/private subnet, but then you\’d have to figure the network creation yourself…

the issue is that there is javascript making calls to the graphql endpoint to load flows, since that request originates from the client, the client will need access to graphql.

Ah I see, it’s external rather than internal, gotcha