Product
MinIO Enterprise Object Store
Overview Architecture
Features
MinIO for Public Cloud
AWS GCS Azure
MinIO for Private Cloud
OpenShift SUSE Rancher Tanzu
MinIO for Baremetal
Linux and Windows
Determine your raw and usable capacity Erasure Code Calculator MinIO's Recommended Hardware Configuration Reference Hardware
Solutions
AI Storage Object storage is powering the AI revolution. Learn how MinIO is leading the AI storage market through performance at scale. Modern Datalakes Modern, multi-engine datalakes depend on object stores that deliver performance at scale. Learn more about this core MinIO use case. Hybrid Cloud Effective multi-cloud storage strategies rely on utilizing architecture and tools that can function seamlessly across diverse environments. Equinix Repatriate your data onto the cloud you control with MinIO on Equinix to lower costs while maintaining public cloud adjacency. Splunk Find out how MinIO is delivering performance at scale for Splunk SmartStores. Snowflake Query and analyze multiple data sources, including streaming data, residing on MinIO with the Snowflake Data Cloud. No need to move the data, just query using SnowSQL. SQL Server Discover how to pair SQL Server 2022 with MinIO to run queries on your data on any cloud - without having to move it. HDFS Migration Modernize and simplify your big data storage infrastructure with high-performance, Kubernetes-native object storage from MinIO. VMware Discover how MinIO integrates with VMware across the portfolio from the Persistent Data platform to TKG and how we support their Kubernetes ambitions. Veeam Learn how MinIO and Veeam have partnered to drive performance and scalability for a variety of backup use cases. Commvault Learn how Commvault and MinIO are partnered to deliver performance at scale for mission critical backup and restore workloads. Integrations Browse our vast portfolio of integrations.
Community
GitHub Join our GitHub open source community: explore, experiment, ask questions, and contribute. Slack Channel The MinIO Community Slack provides an open forum for discussing topics related to MinIO. All support is provided on a best-effort basis.
Docs Blog Resources Training Partner Pricing Download

A Firewall Designed for Data: The MinIO Enterprise Object Store Firewall

AJ AJ on Enterprise Object Store
A Firewall Designed for Data: The MinIO Enterprise Object Store Firewall

While there are many firewalls out there, they generally fall into two categories: IP-based firewalls and application firewalls. IP-based firewalls, operating at Layer 3 & 4 are simple, lightweight and fairly primitive. They make decisions based on IP addresses and port numbers to permit or block network traffic. Application firewalls, on the other hand, operate at Layer 7 and primarily deal with web traffic, making decisions based on the contents of communication in the web application to permit or block network traffic.

They have their job and the best do them quite well. 

Neither IP-based firewalls nor application firewalls are designed for data. That is why we built the MinIO Enterprise Object Store Firewall – because in the modern enterprise, data is what must be protected and an S3-aware firewall doesn’t exist. 

The MinIO Enterprise Object Store Firewall is designed specifically to work with applications using MinIO object store and its API endpoints. The Enterprise Firewall is lightweight, powerful, flexible and extensible. It is managed directly from the MinIO Enterprise Console and supports:

  • Bandwidth throttling by Rx/Tx and throttling by Requests rate
  • Load balance across MinIO servers
  • Liveness port monitoring for high availability
  • Support health check for load balancer at separate port
  • Support for S3, SFTP and console endpoints
  • Auto-TLS, Let’s Encrypt support

We recommend everyone use the MinIO Enterprise Console for configuration. It allows the user to configure one or all of your MinIO instances with whatever rules you choose. The Enterprise Console will even allow for the upload of a YAML file if that is required.

You can configure the TLS certificates, ports for S3, Console, SFTP and Health check ports, along with the endpoints for the MinIO Object Store and more using the Enterprise Console.

The MinIO Object Store Firewall rules can be configured to apply to all buckets or specific object prefixes. Rules can be configured to allow or deny access to buckets, restrict bandwidth and request rate limits. Remember, the MinIO Object Storage Firewall is S3 API aware so there is remarkable flexibility in rule creation. One can even tighten IAM policies, but not loosen, since it operates at the data layer. This includes everything from DELETEs, the # of GET calls, how much, how often, how anonymous requests are dealt with, etc. 

A bucket or prefix-specific rule has precedence over a wildcard rule "*". If a bucket-specific rule is not specified for a particular API, the wildcard rule is applied, if specified. In other words, the rules get evaluated in order of most specific prefix to the least specific prefix.

Let’s take a couple of examples to get a better understanding of this.

In the below example, for objects in bucket mybucket1, the download and upload rate is throttled at 10MB/s with requests to s3.PutObject capped at 10 requests/sec.

The following rule throttles mybucket1 as well as all other buckets s3.GetObject requests to 100 requests/sec. This is because there is no specific rule in bucket: "mybucket*" for s3.GetObject so the wildcard rule "*" applies to mybucket1 as well.

But the  downloadRatePerSec and uploadRatePerSec will not apply to mybucket1 since the above rule takes precedence because it's more specific.

MinIO Object Store Firewall rule to deny all requests to myprefix prefix in mybucket bucket

MinIO Object Store Firewall rule to restrict upload and download bandwidth to 4MiB for mybucket bucket

Finally, we have the anonymous rule.

Any rule that does not match specifically for any of the prefixes will default to the anonymous rule. But even this could also be overridden for all (or specific) buckets as follows:

POP QUIZ!!!

I know, I hated these too back in high school, but I promise this one is very easy, or else it's on me for not explaining it well enough 😀.

If you had 2 buckets, mybucket809 and yourbucket901, using the rules below, what would be the rate of throttling for s3.ListObjectsV2 API call? Please note API's not specified in the Enterprise Firewall rules are allowed by default.

Highlight below to find out the answer

For mybucket809 its 100 requests/sec and for yourbucket901 its 10 requests/sec.

Was your answer correct?

Final Thoughts

As you can see that was an easy pop quiz because I did such a wonderful job of explaining the rules in detail 😁. But seriously, please go through the rules to ensure you have a good understanding of them and how they are prioritized.

The beauty of the MinIO Enterprise Object Store Firewall is that it's not only very easy to get up and running, which follows our ethos for any product we build, but also the simplicity of the rules. Gone are the days of complex IPtables policies that you cannot make heads or tails of. The Enterprise Firewall makes it simple by focusing on the rules that are needed for object store and its API calls. It is optimized to ensure there are no latency or unforeseen rules blocking access to your MinIO object store. Moreover, the Enterprise Firewall is fully supported by our awesome team at SUBNET where we can help you by architecting the Enterprise Firewall the right way to work with MinIO object store and troubleshoot any future issues.

So what are you waiting for? If you have any questions on MinIO Enterprise Object Store Firewall be sure to reach out to us on Slack or hello@min.io!

Previous Post Next Post
S3 Select Security Modern Data Lakes Apache Presto SQL Performance S3 Brand/Design Golang Programming Cloud Computing Microservices Docker AWS Kubernetes Apache Spark Open Source Benchmarks Integrations SUBNET Edge Computing Sidekick Secure-by-Design Splunk Veeam Intel Apache Nifi Immutability Software Defined Storage VMware Apache Arrow Hybrid Cloud Red Hat OpenShift Multicloud Scalability Cloud Field Day Cloud Native Apache Kafka Architect's Guide Awards Operator's Guide Security Advisory AI/ML AGPLv3 Apache Hadoop SFD Azure GCP Observability Analytics R H20 DirectPV DevOps Apache Iceberg Apache Hudi YouTube Summaries EKS Elastic Load Balancers CI/CD Object Storage Compliance opentelemetry BC/DR Storage Newsletter Predictions Best Practices Dremio New MinIO Features partners Small Files Databases DuckDB PostgreSQL Delta Lake Cloud Repatriation Python Object Lambdas Data Pipelines Cloud Operating Model Webhook ClickHouse Vector Database Events Value Engineering Change Data Capture Enterprise Object Store GitOps Case Study Equinix