Promiscuous Binding / Securing Tigergraph

Hello Team Tigergraph!

We noticed that some Tigergraph services seem to bind ports promiscuously to all available interfaces (e.g. Kafka on :::30002). For our use case, we’d like to restrict connections to only our application layer which resides on the same private subnet (e.g. 172.16.x.x), and disallow connections to/from world. Is there a way to specify the interface to bind or would we need to use a host based firewall? Are any ports used strictly for host-only interprocess communication and could be blocked from the subnet too?