8 Secure Your Besu Network
The network is configured to allow peer-to-peer communication so that participants can join easily. You can restrict access further if needed.
By default, the network exposes a small set of ports that are used for Besu peer-to-peer communication. These ports are required so that nodes in different clusters can discover and connect to each other. Ports are exposed by using the cloud load balancer. Worker nodes remain in private subnets. This configuration prioritizes onboarding and reliability. You can further restrict access as needed by updating cloud network security rules (for example, with security lists or network security groups).
- Identify the IP address or IP address range of the participant’s Besu instance. In an OCI environment, this is the NAT IP address of the participant OKE cluster.
- Update your network security rules to allow inbound traffic from only approved participant IP addresses and to block all other sources.
By default, when a load balancer service is created in OKE, the security list automatically adds rules to open the node ports that are associated with this service. Therefore, on instance creation the port range from 30303 to 30310 is automatically opened by means of rules in the security list.
For maximum isolation, the founder instance can remove these rules from the security list. Security lists are applied at the subnet level, so if an instance or load balancer service is created in the same subnet, the rules related to node ports might be applied again automatically. When this happens, you must remove those rules again.
- If you want to join a participant instance to the founder network, get the NAT IP address mentioned in step one and create a network security group ingress rule that allows traffic from the NAT IP address as the source address to the specified participant address with a destination port range from 30303 to 30310.
- Identify the dedicated load balancer that is associated with only this instance, and associate the network security group with that load balancer.
After you associate the network security group with the load balancer, only the explicitly allowed participate instance can discover and connect to the founder instance.