06/02/2020, 3:22 PM
Hi @Will Milner! There's not currently a way to do this through Prefect Server config, but you could try whitelisting specific IPs/CIDR ranges if you're looking to restrict traffic.
06/02/2020, 3:25 PM
it would require whitelisting on both ports 8080 and 4200 in order for it to work properly (flows for instance would no load without access to port 4200). I would want to give someone access just to the web UI to manually trigger flows and read logs, but not access any of the graphql functionality.
I may look into Prefect Cloud for the authorization layer it provides, thanks for the answer Zachary!
06/02/2020, 3:26 PM
Sure thing! If you're looking to try out an auth solution, I'd definitely recommend Cloud-- users/roles/etc work out of the box there. 🙂
06/02/2020, 3:43 PM
In theory you could start the main server in a public subnet , to allow 8080, and the graphql container in a separate instance/container in an isolated/private subnet, but then you\’d have to figure the network creation yourself…
Alternatively you could put prefect on an isolated/private subnet that would allow internal comms, and then a bastion box on public subnet that only allows 8080 access
06/02/2020, 3:49 PM
06/02/2020, 4:04 PM
Ah I see, it’s external rather than internal, gotcha