Define what network traffic is allowed to and from your VMs
Firewall rules define what network traffic is allowed to and from your virtual machines.
Each firewall rule consists of several components that work together to control network traffic:
Direction Control
Protocol Types
Traffic Flow Control
Ingress (Incoming)
Egress (Outgoing)
Traffic Flow Control
Ingress (Incoming)
Egress (Outgoing)
Network Protocol Selection
TCP (Transmission Control Protocol)
UDP (User Datagram Protocol)
ICMP (Internet Control Message Protocol)
Internet Protocol Version
IPv4
IPv6
To add a rule to an existing firewall:
Access Rule Management
From the firewall details page or click “Add Rule” button on firewall card
Configure Direction
Select traffic direction:
Select Protocol
Choose the appropriate protocol:
Set IP Version
Choose IP version:
Configure IP Range
Enter remote IP range in CIDR format:
Set Port Range (TCP/UDP only)
For TCP and UDP protocols, specify port ranges:
Save Rule
Click “Add Rule” to save the configuration
For TCP and UDP protocols, you must configure port access:
Port Range Rules:
Specific Service Ports
Service | Protocol | Port | Min/Max Setting |
---|---|---|---|
SSH | TCP | 22 | Min: 22, Max: 22 |
HTTP | TCP | 80 | Min: 80, Max: 80 |
HTTPS | TCP | 443 | Min: 443, Max: 443 |
MySQL | TCP | 3306 | Min: 3306, Max: 3306 |
PostgreSQL | TCP | 5432 | Min: 5432, Max: 5432 |
Redis | TCP | 6379 | Min: 6379, Max: 6379 |
Specific Service Ports
Service | Protocol | Port | Min/Max Setting |
---|---|---|---|
SSH | TCP | 22 | Min: 22, Max: 22 |
HTTP | TCP | 80 | Min: 80, Max: 80 |
HTTPS | TCP | 443 | Min: 443, Max: 443 |
MySQL | TCP | 3306 | Min: 3306, Max: 3306 |
PostgreSQL | TCP | 5432 | Min: 5432, Max: 5432 |
Redis | TCP | 6379 | Min: 6379, Max: 6379 |
Service Port Ranges
Use Case | Protocol | Range | Min/Max Setting |
---|---|---|---|
FTP Data | TCP | 20-21 | Min: 20, Max: 21 |
HTTP Alt | TCP | 8000-8999 | Min: 8000, Max: 8999 |
Custom Apps | TCP | 3000-3010 | Min: 3000, Max: 3010 |
Gaming | UDP | 7000-7100 | Min: 7000, Max: 7100 |
Development | TCP | 8080-8090 | Min: 8080, Max: 8090 |
Standard Service Ports
Web Services:
Database Services:
System Services:
Remote IP ranges must follow CIDR notation for proper network specification:
IPv4 Validation
IPv4 Address Requirements
IPv6 Validation
IPv6 Address Requirements
HTTP/HTTPS Traffic
Purpose | Direction | Protocol | Port | Remote IP | Use Case |
---|---|---|---|---|---|
Public HTTP | Ingress | TCP | 80 | 0.0.0.0/0 | Public website |
Public HTTPS | Ingress | TCP | 443 | 0.0.0.0/0 | Secure website |
SSH Access | Ingress | TCP | 22 | Your IP/32 | Server management |
Health Check | Ingress | TCP | 80 | Load balancer IP | Monitoring |
HTTP/HTTPS Traffic
Purpose | Direction | Protocol | Port | Remote IP | Use Case |
---|---|---|---|---|---|
Public HTTP | Ingress | TCP | 80 | 0.0.0.0/0 | Public website |
Public HTTPS | Ingress | TCP | 443 | 0.0.0.0/0 | Secure website |
SSH Access | Ingress | TCP | 22 | Your IP/32 | Server management |
Health Check | Ingress | TCP | 80 | Load balancer IP | Monitoring |
REST API Services
Purpose | Direction | Protocol | Port | Remote IP | Use Case |
---|---|---|---|---|---|
API Endpoint | Ingress | TCP | 8080 | 0.0.0.0/0 | Public API |
Admin API | Ingress | TCP | 8443 | Admin IPs | Management |
Database | Egress | TCP | 5432 | DB Server IP | Data access |
External API | Egress | TCP | 443 | API Provider | External calls |
MySQL Database
MySQL Server Protection
Rule Purpose | Configuration | Security Notes |
---|---|---|
Application Access | Ingress TCP 3306 from app servers | Restrict to app server IPs only |
Admin Access | Ingress TCP 3306 from admin IPs | Use VPN or bastion host |
Backup Access | Ingress TCP 3306 from backup server | Dedicated backup network preferred |
SSH Management | Ingress TCP 22 from admin IPs | Essential for server management |
PostgreSQL Database
PostgreSQL Server Protection
Rule Purpose | Configuration | Security Notes |
---|---|---|
Application Access | Ingress TCP 5432 from app servers | Restrict to application subnet |
Replication | Ingress TCP 5432 from replica IPs | Master-slave replication |
Monitoring | Ingress TCP 5432 from monitoring | Database performance monitoring |
SSH Management | Ingress TCP 22 from admin IPs | Server administration |
Data Science Environment
Data Science Environment
Container Registry
System Monitoring
Network Diagnostics
Ping Access:
Traceroute Support:
Administrative Access
SSH Access:
VPN Access:
Start Restrictive
Begin with the most restrictive rules and gradually open access as needed
Document Purpose
Add clear descriptions to rules explaining their purpose and requirements
Use Specific IPs
Avoid 0.0.0.0/0 unless public access is truly required
Regular Review
Periodically audit rules and remove unnecessary access
Avoid These Common Errors:
Testing New Rules
Validation Process
Troubleshooting Rules
Common Debugging Steps
Remember that firewall rules may take up to 10 minutes to be fully applied after creation. Plan rule changes during maintenance windows to minimize service disruption.
Start with restrictive rules and gradually open access as needed. It’s much safer to start with limited access and expand than to start with broad access and try to restrict later.
Define what network traffic is allowed to and from your VMs
Firewall rules define what network traffic is allowed to and from your virtual machines.
Each firewall rule consists of several components that work together to control network traffic:
Direction Control
Protocol Types
Traffic Flow Control
Ingress (Incoming)
Egress (Outgoing)
Traffic Flow Control
Ingress (Incoming)
Egress (Outgoing)
Network Protocol Selection
TCP (Transmission Control Protocol)
UDP (User Datagram Protocol)
ICMP (Internet Control Message Protocol)
Internet Protocol Version
IPv4
IPv6
To add a rule to an existing firewall:
Access Rule Management
From the firewall details page or click “Add Rule” button on firewall card
Configure Direction
Select traffic direction:
Select Protocol
Choose the appropriate protocol:
Set IP Version
Choose IP version:
Configure IP Range
Enter remote IP range in CIDR format:
Set Port Range (TCP/UDP only)
For TCP and UDP protocols, specify port ranges:
Save Rule
Click “Add Rule” to save the configuration
For TCP and UDP protocols, you must configure port access:
Port Range Rules:
Specific Service Ports
Service | Protocol | Port | Min/Max Setting |
---|---|---|---|
SSH | TCP | 22 | Min: 22, Max: 22 |
HTTP | TCP | 80 | Min: 80, Max: 80 |
HTTPS | TCP | 443 | Min: 443, Max: 443 |
MySQL | TCP | 3306 | Min: 3306, Max: 3306 |
PostgreSQL | TCP | 5432 | Min: 5432, Max: 5432 |
Redis | TCP | 6379 | Min: 6379, Max: 6379 |
Specific Service Ports
Service | Protocol | Port | Min/Max Setting |
---|---|---|---|
SSH | TCP | 22 | Min: 22, Max: 22 |
HTTP | TCP | 80 | Min: 80, Max: 80 |
HTTPS | TCP | 443 | Min: 443, Max: 443 |
MySQL | TCP | 3306 | Min: 3306, Max: 3306 |
PostgreSQL | TCP | 5432 | Min: 5432, Max: 5432 |
Redis | TCP | 6379 | Min: 6379, Max: 6379 |
Service Port Ranges
Use Case | Protocol | Range | Min/Max Setting |
---|---|---|---|
FTP Data | TCP | 20-21 | Min: 20, Max: 21 |
HTTP Alt | TCP | 8000-8999 | Min: 8000, Max: 8999 |
Custom Apps | TCP | 3000-3010 | Min: 3000, Max: 3010 |
Gaming | UDP | 7000-7100 | Min: 7000, Max: 7100 |
Development | TCP | 8080-8090 | Min: 8080, Max: 8090 |
Standard Service Ports
Web Services:
Database Services:
System Services:
Remote IP ranges must follow CIDR notation for proper network specification:
IPv4 Validation
IPv4 Address Requirements
IPv6 Validation
IPv6 Address Requirements
HTTP/HTTPS Traffic
Purpose | Direction | Protocol | Port | Remote IP | Use Case |
---|---|---|---|---|---|
Public HTTP | Ingress | TCP | 80 | 0.0.0.0/0 | Public website |
Public HTTPS | Ingress | TCP | 443 | 0.0.0.0/0 | Secure website |
SSH Access | Ingress | TCP | 22 | Your IP/32 | Server management |
Health Check | Ingress | TCP | 80 | Load balancer IP | Monitoring |
HTTP/HTTPS Traffic
Purpose | Direction | Protocol | Port | Remote IP | Use Case |
---|---|---|---|---|---|
Public HTTP | Ingress | TCP | 80 | 0.0.0.0/0 | Public website |
Public HTTPS | Ingress | TCP | 443 | 0.0.0.0/0 | Secure website |
SSH Access | Ingress | TCP | 22 | Your IP/32 | Server management |
Health Check | Ingress | TCP | 80 | Load balancer IP | Monitoring |
REST API Services
Purpose | Direction | Protocol | Port | Remote IP | Use Case |
---|---|---|---|---|---|
API Endpoint | Ingress | TCP | 8080 | 0.0.0.0/0 | Public API |
Admin API | Ingress | TCP | 8443 | Admin IPs | Management |
Database | Egress | TCP | 5432 | DB Server IP | Data access |
External API | Egress | TCP | 443 | API Provider | External calls |
MySQL Database
MySQL Server Protection
Rule Purpose | Configuration | Security Notes |
---|---|---|
Application Access | Ingress TCP 3306 from app servers | Restrict to app server IPs only |
Admin Access | Ingress TCP 3306 from admin IPs | Use VPN or bastion host |
Backup Access | Ingress TCP 3306 from backup server | Dedicated backup network preferred |
SSH Management | Ingress TCP 22 from admin IPs | Essential for server management |
PostgreSQL Database
PostgreSQL Server Protection
Rule Purpose | Configuration | Security Notes |
---|---|---|
Application Access | Ingress TCP 5432 from app servers | Restrict to application subnet |
Replication | Ingress TCP 5432 from replica IPs | Master-slave replication |
Monitoring | Ingress TCP 5432 from monitoring | Database performance monitoring |
SSH Management | Ingress TCP 22 from admin IPs | Server administration |
Data Science Environment
Data Science Environment
Container Registry
System Monitoring
Network Diagnostics
Ping Access:
Traceroute Support:
Administrative Access
SSH Access:
VPN Access:
Start Restrictive
Begin with the most restrictive rules and gradually open access as needed
Document Purpose
Add clear descriptions to rules explaining their purpose and requirements
Use Specific IPs
Avoid 0.0.0.0/0 unless public access is truly required
Regular Review
Periodically audit rules and remove unnecessary access
Avoid These Common Errors:
Testing New Rules
Validation Process
Troubleshooting Rules
Common Debugging Steps
Remember that firewall rules may take up to 10 minutes to be fully applied after creation. Plan rule changes during maintenance windows to minimize service disruption.
Start with restrictive rules and gradually open access as needed. It’s much safer to start with limited access and expand than to start with broad access and try to restrict later.