By default, we only open the ports necessary for the application you have deployed.
How can I restrict access to my service by IP address?
From the Dashboard, select Security, then Show Settings on the Firewall row
From there you can modify, remove or add new rules to open a port from your service to the internet (or just to a specific target IP).
All services come preconfigured with firewall rules that match the software you are deploying.
You have to keep port 80 open to any ipv4/ipv6 or else Letsencrypt won't be able to generate an SSL certificate