Firewall & public ingress
EVEO manages a Fortigate hardware firewall at the perimeter of the LEF private cloud, along with our primary public IPv4 block. It is the control point for inbound internet traffic and remote collaborator access (SSL‑VPN).
All EVEO-hosted servers and services sit behind this perimeter device; only explicitly-forwarded public HTTP(S) traffic is exposed to the internet.
What it does
Section titled “What it does”- Filters inbound traffic and forwards HTTP(S) to internal VIPs/services.
- Terminates SSL‑VPN (users sign in via Entra SSO) for access to internal services.
- Enforces that non-HTTP(S) services are not exposed publicly (SSH/DB/admin access stays VPN-only).
Public vs VPN rules (high level)
Section titled “Public vs VPN rules (high level)”- Public internet: only HTTP/HTTPS forwarding to internal VIPs (no direct public SSH/DB/admin UIs).
- Operator/internal access: everything else goes via VPN (see VPN access).
- SSO/auth: SSL‑VPN uses FortiGate SAML-based sign-on via Microsoft Entra (see Entra SAML).
Entry points
Section titled “Entry points”- VPN portal (SSL‑VPN): https://vpn.lef.digital:10443/remote/login?lang=en
- EVEO portal (restricted): https://nuvemprivada.eveo.com.br/
For the current inventory tables (contract label, public IP block, VIP allocations), see Firewall & public ingress (reference).
Traffic flow (simplified)
Section titled “Traffic flow (simplified)”How to request a change
Section titled “How to request a change”The firewall and public IP forwarding are provider-managed. When you need a new public hostname or a new mapping, collect:
- affected domain(s) and public IP (if known)
- target internal VIP and port(s) (usually
80/443) - why the change is needed + expected impact
Then route the request via Infra to EVEO.
If the change includes a new hostname:
- Confirm where the site is hosted (Hostinger vs EVEO private cloud): see Domains.
- Update DNS (authoritative provider) and, if needed, internal DNS: see
dns.core.lefand DNS split horizon. - Update the reverse proxy configuration on
web.core.lefand issue TLS certificates: see SSL certificates for web servers.
Known risks / failure modes
Section titled “Known risks / failure modes”- Forwarding points at the wrong internal VIP (service appears “down” publicly).
- SSL-VPN works but internal DNS/routing is broken (client can’t reach internal hostnames).
- Entra SSO issues prevent VPN login (identity side).