Option to Restrict Direct Access via Ingress Load Balancer IP in Liferay PaaS

Hi Liferay Team,

We would like to suggest a potential enhancement for Liferay PaaS that could benefit customers with stringent security and compliance requirements.

Currently, the Ingress Load Balancer IP remains publicly reachable as the network entry point to the Kubernetes cluster. While this is expected behavior and application access continues to be governed by ingress routing and authentication controls, security assessment teams frequently raise concerns regarding direct accessibility of the load balancer IP.

As a product enhancement, it would be valuable to provide customers with an optional configuration that allows:

  • Restricting requests made directly to the Load Balancer IP.
  • Enabling this behavior through a self-service PaaS configuration rather than requiring infrastructure-level customizations.

Such a feature would help customers address recurring VAPT observations and align more easily with organizational security policies that mandate domain-only access to internet-facing applications.

We believe this capability would be a useful addition to the Liferay PaaS platform and would appreciate your consideration of this enhancement as a future product idea.

Hey Ravi!
Thanks for bringing this up. This is Matheus, Product Manager for Cloud. Nice to e-meet you. :slight_smile:

Great news! We agree with you and We think that it makes total sense.

Have you heard about Cloud Native Experience - Liferay Official Documentation - Liferay Learn ?

We are leveraging top industry standards and implementing new features based on CNE that will be the future of our PaaS, such as this one that you just suggested.
I can confirm that it is mapped and will be in place. Although I don’t have a solid date yet, at least I can tell you that it is in the roadmap. Stay tuned!