💡Note
Tenant owners can configure an allowlist with rules for IPs or FQDNs to restrict access to the destinations that HTTP Request Actions are allowed to make requests to, and/or to restrict the domains that Send Email Actions are allowed to send emails to. Note: for Send Email Actions, only an allowlist for FQDNs is supported, not IPs.
Rules must specify an address or CIDR range for IP or FQDN, and a description. Both IPv4 and IPv6 addresses are supported. Only an IP or FQDN should be provided, but not both. The format for CIDR ranges is address/mask . By default FQDNs are resolved to IPs so if an FQDN is not on the allowlist but resolves to an IP that is on the allowlist then the request will be allowed, this setting can be turned off.
Once the rules are enabled, any outbound requests from HTTP Request Actions that does not match the IP or FQDN will fail at run time and the relevant error can be found in the logs. Similarly, any email sent from a Send Email Action to a domain that does not match a FQDN on the list will fail.
Rules can also be fetched and modified via the Tines API.
Tunnel egress control
Action egress control can be turned on for HTTP request actions that use a tunnel by enabling the option on the action egress control settings page. Note that FQDNs will not be resolved to IPs for tunnelled requests so if a FQDN isn't on the allowlist then the request will not be allowed regardless of whether the IP it resolves to is on the allowlist or not. See the settings options below:
