Networking

Each workspace has a virtual network interface with configurable firewall rules. You control what traffic goes in and out.

Network architecture

Internet ◄──► Oblien Edge ◄──► Workspace VM
                    │              │
                    │        ┌─────┴─────┐
                    │        │ Firewall   │
                    │        │ (per-VM)   │
                    │        └────────────┘
                    │
              ┌─────┴─────┐
              │ SSH Access │
              └────────────┘

Each workspace gets its own internal IP (e.g., 10.0.0.15)
All traffic passes through a per-VM firewall
Outbound internet is allowed by default (configurable)
Inbound traffic is denied by default (must explicitly open)

Internet access

By default, workspaces can reach the public internet. Disable this for sandboxed/untrusted code:

// Block outbound internet entirely
await ws.network.update(id, {
  allow_internet: false,
});

// Allow only specific hosts
await ws.network.update(id, {
  allow_internet: true,
  egress: ['api.github.com', 'registry.npmjs.org', 'cdn.jsdelivr.net'],
});

When allow_internet is false:

All outbound connections are blocked
The egress list is cleared
DNS still resolves but connections are refused

Firewall rules

Egress (outbound)

Control which external hosts the workspace can reach:

await ws.network.update(id, {
  egress: [
    'api.openai.com',       // Specific host
    '10.0.0.0/8',           // CIDR range
    'registry.npmjs.org',    // Package registry
  ],
});

Maximum 50 entries
Supports hostnames and CIDR notation
Only active when allow_internet: true

Ingress (inbound)

Control which sources can reach the workspace:

await ws.network.update(id, {
  ingress: ['10.0.0.0/8'],      // Allow from private network
  ingress_ports: [80, 443, 22], // Allow specific ports
  public_access: true,           // Allow from internet
});

ingress: allowed source hosts/CIDRs (max 50)
ingress_ports: allowed destination ports (max 50, range 1–65535)
public_access: enables the special host keyword for internet inbound

Public access

Expose workspace ports to the internet with auto-generated HTTPS URLs:

// Expose port 3000
const endpoint = await ws.publicAccess.expose(id, {
  port: 3000,
  label: 'Web Server',
});

console.log(endpoint.url);
// https://a1b2c3.preview.oblien.com

How it works:

The port is registered in the routing layer
A unique hash generates the subdomain
https://{hash}.preview.oblien.com → proxied to workspace port
HTTPS termination is automatic - your app serves plain HTTP

Key details:

Up to 20 ports per workspace
Preview URLs are public - anyone with the link can access
Workspace must be running to expose ports
Revoking a port removes the public endpoint immediately

Dedicated outbound IP

Route all outbound traffic through a specific IP address. Useful for allowlisting in third-party firewalls.

const result = await ws.network.applyOutboundIp(id, {
  assignment_id: 42,  // From your proxy assignment list
});

console.log(result.ip);       // "203.0.113.50"
console.log(result.country);  // "US"

This replaces the default shared outbound IP with a dedicated static IP that you control.

SSH access

SSH connections route through Oblien's SSH gateway - no public IP or port forwarding needed:

ssh root@{ssh_id} -J root@ssh.oblien.com

Enable SSH programmatically:

const ssh = await ws.ssh.enable(id);
// ssh.connection.command = "ssh root@abc123 -J root@ssh.oblien.com"

The SSH layer dynamically routes connections to the correct workspace.

Default configuration

New workspaces start with:

Setting	Default
`allow_internet`	`true`
`public_access`	`false`
`ingress`	`[]` (none)
`ingress_ports`	`[]` (none)
`egress`	`[]` (unrestricted when internet is on)
`outbound_ip`	Shared (no dedicated IP)
`ssh`	Disabled
`private_links`	`[]` (none - fully isolated)

Workspaces are network-dark on the inbound side by default - no workspace, gateway, or external service can connect until you explicitly open access.

Private links

Allow workspace-to-workspace communication over the internal network. Private links whitelist a specific workspace's IP in the target's firewall:

// Allow ws_agent to reach ws_target
await ws.network.update('ws_target', {
  private_link_ids: ['ws_agent'],
});

Key details:

Links are one-directional - A → B does not imply B → A
You send workspace IDs, not IPs - the platform resolves and configures automatically
The target's firewall only allows traffic from linked workspace IPs
Even linked workspaces need a valid connection token to authenticate requests

Learn more about workspace-to-workspace patterns in Workspace Networking.

API reference

See the Network API for the full endpoint reference.

On this page