Hi Liferay Team,
We would like to suggest a potential enhancement for Liferay PaaS that could benefit customers with stringent security and compliance requirements.
Currently, the Ingress Load Balancer IP remains publicly reachable as the network entry point to the Kubernetes cluster. While this is expected behavior and application access continues to be governed by ingress routing and authentication controls, security assessment teams frequently raise concerns regarding direct accessibility of the load balancer IP.
As a product enhancement, it would be valuable to provide customers with an optional configuration that allows:
- Restricting requests made directly to the Load Balancer IP.
- Enabling this behavior through a self-service PaaS configuration rather than requiring infrastructure-level customizations.
Such a feature would help customers address recurring VAPT observations and align more easily with organizational security policies that mandate domain-only access to internet-facing applications.
We believe this capability would be a useful addition to the Liferay PaaS platform and would appreciate your consideration of this enhancement as a future product idea.