Sorry, you need to enable JavaScript to visit this website.
Welcome to our website! Explore our services and portfolio.

ACL on Cloud Next: Self-Referential Outgoing Drupal HTTP Requests and Varnish

Submitted by admin on



How It Works

When your Drupal app makes an outbound curl request to its own domain (e.g. calling its own REST API, JSON:API, or any self-referencing endpoint), the request flows like this:

Drupal PHP Process
  → outbound curl to https://mysite.com/api/endpoint
    → hits the load balancer
      → hits Varnish
        → Varnish checks client.ip against ACL
          → if IP not in allowlist → 403 Forbidden ❌
          → if IP in allowlist → passes through to PHP ✅

The request is treated like any other external request — it goes out and comes back in through Varnish, not via localhost.



Common Scenarios Where This Matters

  • Drupal calling its own JSON:API or REST endpoints
  • Drush or cron jobs making HTTP requests to the site
  • Acquia Purge module sending cache invalidation requests
  • Any custom module using \Drupal::httpClient() or curl to call its own domain

The Fix

Make sure your Web EIP (Elastic IP) addresses are in the allowlist. Acquia actually calls this out specifically — on Cloud Next, purge requests come from Web EIP addresses and will be blocked if not allowlisted:

vcl
acl allowlist_mysite {
    "203.0.113.10";   # Web EIP 1
    "203.0.113.11";   # Web EIP 2
}

You can find your Web EIP addresses in the Acquia Cloud UI under your environment's infrastructure details, or by asking Acquia Support.

Key Distinction

Request Type

Goes Through Varnish?

Needs to be in ACL?

Outbound curl to own domain

✅ Yes

✅ Yes

Internal localhost request

❌ No

❌ No

Database calls

❌ No

❌ No

So if you ever see mysterious 403s on self-referencing curl calls in your Drupal logs, a missing Web EIP in the Varnish ACL is the first place to look.


To get a machine IP address, we have a few options depending on what you need:

bash
# Most common - shows all network interfaces and IPs ip addr show
 # Shorter output ip a
 # Just the main outbound IP (cleanest for scripting) hostname -I
 # Old-school (may need net-tools installed) ifconfig

On Acquia Cloud Next specifically, to find your Web EIP (the public-facing IP Varnish sees):

bash
# Shows the external IP as seen from outside curl ifconfig.me
 # Or curl icanhazip.com

The curl ifconfig.me approach is most useful on Acquia because it shows the actual public IP that Varnish would see as client.ip — which is what needs to be in your ACL allowlist.



 

Recent content