Skip to main content

Exposing Ports

You can expose TCP ports to the outside world by specifying the ports you want to expose in the ports parameter. ports accepts a list, so you can expose multiple ports too. In the example below, we expose two ports:
  • 8888 for a Jupyter Notebook server
  • 3000 for a separate application or web server
from beam import Image, Pod

pod = Pod(
    image=Image(base_image="jupyter/base-notebook:latest"),
    ports=[8888, 3000],
    entrypoint=["start-notebook.py"],
)
Once your Pod is running, both ports will be available at a public URL.

Network Security

Blocking Outbound Traffic

You can block all outbound network access from your Pod while still allowing inbound connections to exposed ports. This is useful for security-sensitive workloads that shouldn’t communicate with external services. 
from beam import Image, Pod

pod = Pod(
    image=Image(base_image="python:3.11-slim"),
    ports=[8000],
    block_network=True,  # Block all outbound traffic
    entrypoint=["python", "-m", "http.server", "8000"],
)
With block_network=True, the Pod can receive requests on exposed ports but cannot make outbound connections to external services.

Allow Lists (CIDR Ranges)

For more fine-grained control, you can specify an allow list of CIDR ranges that your Pod is permitted to connect to. All other outbound traffic will be blocked. 
from beam import Image, Pod

pod = Pod(
    image=Image(base_image="python:3.11-slim"),
    ports=[8000],
    allow_list=[
        "8.8.8.8/32",      # Allow Google DNS
        "10.0.0.0/8",      # Allow private network range
        "2001:db8::/32",   # Allow IPv6 range
    ],
    entrypoint=["python", "app.py"],
)
Important Notes:
  • Maximum of 10 CIDR entries per Pod
  • Supports both IPv4 and IPv6 addresses
  • Must use proper CIDR notation (e.g., "8.8.8.8/32" for a single IP)
  • Cannot use allow_list and block_network together - they are mutually exclusive
  • Invalid CIDR values will trigger an error at creation time

Static IPs

Pods are served in a static IP range, making it possible to whitelist the Beam IP range from the client. For the static IP range, send us a message in Slack.