Computing resource services, such as web services, are typically exposed to customers at known service endpoints. A service endpoint may be associated with a set of Internet protocol (IP) addresses that point to physical components/properties of a service like a particular region, datacenter, load balancer or server. Given a service endpoint, customers and their applications may be directed to the IP addresses associated with the endpoint using Domain Name System (DNS) services and network-layer routing mechanisms. Over time, the set of IP addresses associated with an endpoint may change due to service expansion, component outages, load balancing and other reasons.
Traditionally, enterprise and government backend environments have used transport-layer firewalls to restrict network traffic to only a known set of IP addresses. Such firewalls are useful in protecting backend assets located in such environment, such as critical data-handling applications, but may be insufficient for integrating such backend environments with web-based services described above. First, it is often challenging to manually update the firewalls to allow a potentially large number of dynamically-changing IP addresses associated with service endpoints. Second, transport-layer firewall rules may be insufficient to detect application-level anomalies such as data leaks.