Environment Network Isolation

Note: This document is based on Jelastic version 5.4

The Network Isolation feature complements an environment groups functionality by allowing to manage the appropriate groups availability within a single Jelastic installation (i.e. over its internal network).

request handling with firewall and isolation

This way, each internal connection between nodes on the Platform needs to pass the appropriate check up before being allowed - i.e. whether the requesting and requested environments belong to the same isolated group.

Tip: Additionally, connectivity of nodes can be restricted by the container firewall rules, which is more flexible solution, suitable for both internal and external access management.

Private Network Isolation

At Jelastic PaaS, all accounts are isolated from each other by default, which explicitly prohibits any unallowed internal connections between different users (i.e. even in a case some malefactor has managed to gain access to such data as environment name, node ID, internal IP, etc).

With the Network Isolation feature, you can create secure environment groups, intended to isolate the included environments from the other ones on your account. Just turn on the Network Isolation switcher within the Add or Edit Group frame.

enable environment isolation

For each isolated group, the Platform automatically creates a dedicated
IP set, which consists of the appropriate containers internal addresses. This allows to control access between nodes (i.e. if IPs are within the same set - interconnection is allowed, if not - denied). Also, Platform detects all of the appropriate account changes (e.g. environment removal, nodes scaling, etc) to automatically keep IP sets up-to-date.

While managing Network Isolation, the following peculiarities should be considered:
  • the feature can be enabled for the top-level group only (i.e. not for subgroups)
  • environment groups with enabled isolation are provided with a custom icon (isolated group icon) for better recognition
  • shared environments can not be included into isolated groups by collaborators
  • access from outside of the Platform (e.g. via Public IP) could not be limited by this feature

Using Network Isolation

Network Isolation is a useful and convenient feature, which provides additional protection from undesired access to your environments. Usually, it’s a good practice to isolate your applications from each other - for example, this could be useful in the following cases:

  • If you need to share access to your application or database with a third-party employee or company, you’ll be sure that containers outside of the isolated group won’t be accessible via Platform internal network.

  • If you are cloning your project, the isolated initial instance will be protected from an influence of a clone (e.g. if your copy inherits a hardcoded access to database via internal network, it can accidentally spoil the stored data).

As you can see, the Network Isolation feature can be used to separate projects on account and  prevent their undesired interconnections.