CONCEPT Cited by 1 source
Default-closed routing¶
Definition¶
Default-closed routing (also: default-deny routing) is a network-layer
posture where the load balancer or reverse proxy returns an error (typically
403 Forbidden) for all request paths by default. Only paths explicitly
listed in an allowlist are forwarded to backend services. This inverts the
common pattern where the backend handles all inbound traffic and implements
access control internally.
Why it matters¶
A default-open posture means every path the backend happens to expose — health check endpoints, debug pages, admin interfaces, internal APIs — is reachable unless specifically blocked. This creates a race between the security team blocking known-bad paths and attackers finding new ones.
Default-closed routing eliminates this race: paths must be explicitly promoted to the allowlist before they become reachable. A misconfigured or accidentally- exposed backend endpoint is dead on arrival — the load balancer rejects it before a single byte reaches the application.
Canonical instance¶
The 2026-06-29 AWS dual-token authentication reference architecture applies default-closed routing at the ALB layer:
| Priority | Path | Target | Purpose |
|---|---|---|---|
| 1 | /healthcheck | Nakama | Health monitoring |
| 2 | /v2/account/authenticate/* | Nakama | Session bridge |
| 10 | /v2/* | Nakama REST API v2 | Game API |
| 11 | /v1/* | Nakama RPC v1 | RPC |
| Default | * | 403 Forbidden | Never reaches Nakama |
The default action is 403 — a scanner probing arbitrary paths gets
a fixed response from the ALB, never an error from the game server.
(Source: sources/2026-06-29-aws-dual-token-authentication-for-nakama-game-servers)
Relationship to other default-closed patterns¶
- concepts/default-closed-table-allowlist — same principle at the data-platform layer (tables inaccessible until explicitly approved).
- concepts/egress-sni-filtering — same principle in the outbound direction (only allowlisted domains can be reached from within the VPC).
- patterns/default-closed-alb-routing — the load-balancer-specific realization of this concept.
Seen in¶
- sources/2026-06-29-aws-dual-token-authentication-for-nakama-game-servers — ALB with explicit route allowlist