Cloud Resources Overview
Cloud resources in EntryGuard represent the cloud infrastructure components where IP whitelisting rules are applied. When you start a session, EntryGuard automatically adds your IP address to the configured resources, and removes it when the session expires.
What is a Cloud Resource?
A cloud resource is a managed infrastructure component that controls network access through IP-based rules. In EntryGuard, each resource represents:
- AWS Security Groups - Ingress rules for EC2 instances, RDS databases, load balancers, etc.
- Azure Network Security Groups (NSG) - NSG rules for Azure VMs, subnets, and network interfaces
- Azure WAF Policy - IP allowlisting via custom rules on Azure Web Application Firewall policies
- APISIX Gateway - Route-level IP whitelisting for API gateways
- Vercel Firewall - Project-level IP allowlisting via Vercel WAF rules
- Agent-based (Script) - Custom IP whitelisting via your own apply/revoke scripts on any machine
- Agent-based (Tunnel) - Secure TCP tunnels to private network resources via the EntryGuard Agent
- GCP Firewall Rules - Placeholder (not yet implemented)
Resource Properties
Each cloud resource has the following properties:
| Property | Description |
|---|---|
id | Unique identifier (UUID) |
organizationId | Your organization ID |
name | Friendly name for the resource |
provider | Cloud provider: AWS, GCP, AZURE, APISIX, or VERCEL |
resourceType | Type of resource (e.g., SECURITY_GROUP) |
resourceIdentifier | Provider-specific ID (e.g., sg-0abc123def456789) |
region | Cloud region (e.g., eu-west-1, us-east-1) |
credentialId | ID of the credential used to manage this resource |
config | Optional JSON configuration (ports, protocols, etc.) |
isActive | Whether the resource is verified and operational |
lastVerifiedAt | Timestamp of last successful verification |
Resource Lifecycle
- Create - Add a resource via
POST /resourceswith credential, identifier, and region - Verify - EntryGuard automatically verifies the resource exists and credentials work
- Active - Verified resources are available for session IP whitelisting
- Update - Modify name or configuration as needed
- Delete - Remove resources no longer needed
Subscription Limits
The maximum number of resources you can create depends on your plan:
- Free - 5 resources
- Paid - Unlimited resources (usage-based)
You can view your current usage via GET /resources which includes limit information in the response.
Resource Configuration
Resources support optional configuration stored as JSON. For AWS Security Groups, common configurations include:
{
"port": 443,
"protocol": "tcp"
}
If not specified, defaults are:
- Port:
443 - Protocol:
tcp
Multiple ports can be managed by creating separate resources for the same Security Group with different port configurations.
Security Considerations
- Resources require valid cloud credentials to function
- EntryGuard only adds temporary IP rules with tracking metadata
- Existing rules in your Security Groups are never modified or deleted
- All EntryGuard-managed rules include a description tag for identification
- Resources are scoped to your organization - other orgs cannot access them