Firewall rules define what network traffic is allowed to and from your virtual machines.

Rule Components

Each firewall rule consists of several components that work together to control network traffic:

Traffic Direction

Direction Control

  • Ingress: Incoming traffic to your VM
  • Egress: Outgoing traffic from your VM
  • Rules can be specific to direction
  • Different rules may apply for each direction

Protocol Specification

Protocol Types

  • TCP: Reliable connection-based protocols
  • UDP: Connectionless, fast protocols
  • ICMP: Network diagnostic and control messages
  • Protocol determines available configuration options

Core Rule Elements

Traffic Flow Control

Ingress (Incoming)

  • Controls traffic coming into your VM
  • Typical for services your VM provides
  • Examples: Web servers, databases, SSH access
  • Source IP restrictions apply to incoming connections

Egress (Outgoing)

  • Controls traffic leaving your VM
  • Typical for services your VM consumes
  • Examples: API calls, database connections, internet access
  • Destination IP restrictions apply to outgoing connections

Adding Firewall Rules

To add a rule to an existing firewall:

1

Access Rule Management

From the firewall details page or click “Add Rule” button on firewall card

2

Configure Direction

Select traffic direction:

  • Ingress: For incoming traffic (most common)
  • Egress: For outgoing traffic
3

Select Protocol

Choose the appropriate protocol:

  • TCP: For web services, SSH, databases
  • UDP: For DNS, streaming, real-time applications
  • ICMP: For ping and network diagnostics
4

Set IP Version

Choose IP version:

  • IPv4: Standard choice for most applications
  • IPv6: For modern applications requiring IPv6
5

Configure IP Range

Enter remote IP range in CIDR format:

  • Specific IP: 203.0.113.1/32
  • IP Range: 192.168.1.0/24
  • All IPs: 0.0.0.0/0 (IPv4) or ::/0 (IPv6)
6

Set Port Range (TCP/UDP only)

For TCP and UDP protocols, specify port ranges:

  • Single Port: Set both min and max to same value
  • Port Range: Set minimum and maximum ports
  • Port Numbers: Must be between 1 and 65535
7

Save Rule

Click “Add Rule” to save the configuration

Port Range Specifications

For TCP and UDP protocols, you must configure port access:

Port Configuration Requirements

Port Range Rules:

  • Port numbers must be between 1 and 65535
  • Minimum port must be less than or equal to maximum port
  • Both minimum and maximum ports must be specified together
  • For single port access, set both minimum and maximum to the same value
  • Port ranges are not applicable for ICMP protocol

Common Port Configurations

Specific Service Ports

ServiceProtocolPortMin/Max Setting
SSHTCP22Min: 22, Max: 22
HTTPTCP80Min: 80, Max: 80
HTTPSTCP443Min: 443, Max: 443
MySQLTCP3306Min: 3306, Max: 3306
PostgreSQLTCP5432Min: 5432, Max: 5432
RedisTCP6379Min: 6379, Max: 6379

IP Range Validation

Remote IP ranges must follow CIDR notation for proper network specification:

IPv4 CIDR Examples

203.0.113.1/32
# Allows access from exactly one IP address

IPv6 CIDR Examples

2001:db8::1/128
# Allows access from exactly one IPv6 address

CIDR Validation Rules

Common Rule Configurations

Web Server Rules

HTTP/HTTPS Traffic

PurposeDirectionProtocolPortRemote IPUse Case
Public HTTPIngressTCP800.0.0.0/0Public website
Public HTTPSIngressTCP4430.0.0.0/0Secure website
SSH AccessIngressTCP22Your IP/32Server management
Health CheckIngressTCP80Load balancer IPMonitoring

Database Server Rules

Application-Specific Rules

Data Science Environment

Purpose: Jupyter Web Interface
Direction: Ingress
Protocol: TCP
Port: 8888
Remote IP: Your IP address or trusted network
Security: Use strong password and HTTPS

Network Diagnostic Rules

ICMP Rules

Network Diagnostics

Ping Access:

  • Direction: Ingress
  • Protocol: ICMP
  • IP Range: Your network or 0.0.0.0/0
  • Use: Network connectivity testing

Traceroute Support:

  • Essential for network troubleshooting
  • Helps diagnose connectivity issues
  • Useful for performance analysis

Management Access

Administrative Access

SSH Access:

  • Direction: Ingress
  • Protocol: TCP
  • Port: 22
  • IP Range: Admin IPs only
  • Use: Secure server management

VPN Access:

  • Consider VPN for enhanced security
  • Reduces public IP exposure
  • Centralized access control

Security Best Practices

Rule Design Principles

1

Start Restrictive

Begin with the most restrictive rules and gradually open access as needed

2

Document Purpose

Add clear descriptions to rules explaining their purpose and requirements

3

Use Specific IPs

Avoid 0.0.0.0/0 unless public access is truly required

4

Regular Review

Periodically audit rules and remove unnecessary access

Common Security Mistakes

Avoid These Common Errors:

  • Overly Broad Access: Using 0.0.0.0/0 for internal services
  • Unnecessary Ports: Opening ports that aren’t actively used
  • Missing SSH Restrictions: Allowing SSH from any IP address
  • Ignoring Egress: Not controlling outbound traffic
  • Poor Documentation: Rules without clear purpose or ownership

Rule Testing and Validation

Remember that firewall rules may take up to 10 minutes to be fully applied after creation. Plan rule changes during maintenance windows to minimize service disruption.

Start with restrictive rules and gradually open access as needed. It’s much safer to start with limited access and expand than to start with broad access and try to restrict later.

Firewall rules define what network traffic is allowed to and from your virtual machines.

Rule Components

Each firewall rule consists of several components that work together to control network traffic:

Traffic Direction

Direction Control

  • Ingress: Incoming traffic to your VM
  • Egress: Outgoing traffic from your VM
  • Rules can be specific to direction
  • Different rules may apply for each direction

Protocol Specification

Protocol Types

  • TCP: Reliable connection-based protocols
  • UDP: Connectionless, fast protocols
  • ICMP: Network diagnostic and control messages
  • Protocol determines available configuration options

Core Rule Elements

Traffic Flow Control

Ingress (Incoming)

  • Controls traffic coming into your VM
  • Typical for services your VM provides
  • Examples: Web servers, databases, SSH access
  • Source IP restrictions apply to incoming connections

Egress (Outgoing)

  • Controls traffic leaving your VM
  • Typical for services your VM consumes
  • Examples: API calls, database connections, internet access
  • Destination IP restrictions apply to outgoing connections

Adding Firewall Rules

To add a rule to an existing firewall:

1

Access Rule Management

From the firewall details page or click “Add Rule” button on firewall card

2

Configure Direction

Select traffic direction:

  • Ingress: For incoming traffic (most common)
  • Egress: For outgoing traffic
3

Select Protocol

Choose the appropriate protocol:

  • TCP: For web services, SSH, databases
  • UDP: For DNS, streaming, real-time applications
  • ICMP: For ping and network diagnostics
4

Set IP Version

Choose IP version:

  • IPv4: Standard choice for most applications
  • IPv6: For modern applications requiring IPv6
5

Configure IP Range

Enter remote IP range in CIDR format:

  • Specific IP: 203.0.113.1/32
  • IP Range: 192.168.1.0/24
  • All IPs: 0.0.0.0/0 (IPv4) or ::/0 (IPv6)
6

Set Port Range (TCP/UDP only)

For TCP and UDP protocols, specify port ranges:

  • Single Port: Set both min and max to same value
  • Port Range: Set minimum and maximum ports
  • Port Numbers: Must be between 1 and 65535
7

Save Rule

Click “Add Rule” to save the configuration

Port Range Specifications

For TCP and UDP protocols, you must configure port access:

Port Configuration Requirements

Port Range Rules:

  • Port numbers must be between 1 and 65535
  • Minimum port must be less than or equal to maximum port
  • Both minimum and maximum ports must be specified together
  • For single port access, set both minimum and maximum to the same value
  • Port ranges are not applicable for ICMP protocol

Common Port Configurations

Specific Service Ports

ServiceProtocolPortMin/Max Setting
SSHTCP22Min: 22, Max: 22
HTTPTCP80Min: 80, Max: 80
HTTPSTCP443Min: 443, Max: 443
MySQLTCP3306Min: 3306, Max: 3306
PostgreSQLTCP5432Min: 5432, Max: 5432
RedisTCP6379Min: 6379, Max: 6379

IP Range Validation

Remote IP ranges must follow CIDR notation for proper network specification:

IPv4 CIDR Examples

203.0.113.1/32
# Allows access from exactly one IP address

IPv6 CIDR Examples

2001:db8::1/128
# Allows access from exactly one IPv6 address

CIDR Validation Rules

Common Rule Configurations

Web Server Rules

HTTP/HTTPS Traffic

PurposeDirectionProtocolPortRemote IPUse Case
Public HTTPIngressTCP800.0.0.0/0Public website
Public HTTPSIngressTCP4430.0.0.0/0Secure website
SSH AccessIngressTCP22Your IP/32Server management
Health CheckIngressTCP80Load balancer IPMonitoring

Database Server Rules

Application-Specific Rules

Data Science Environment

Purpose: Jupyter Web Interface
Direction: Ingress
Protocol: TCP
Port: 8888
Remote IP: Your IP address or trusted network
Security: Use strong password and HTTPS

Network Diagnostic Rules

ICMP Rules

Network Diagnostics

Ping Access:

  • Direction: Ingress
  • Protocol: ICMP
  • IP Range: Your network or 0.0.0.0/0
  • Use: Network connectivity testing

Traceroute Support:

  • Essential for network troubleshooting
  • Helps diagnose connectivity issues
  • Useful for performance analysis

Management Access

Administrative Access

SSH Access:

  • Direction: Ingress
  • Protocol: TCP
  • Port: 22
  • IP Range: Admin IPs only
  • Use: Secure server management

VPN Access:

  • Consider VPN for enhanced security
  • Reduces public IP exposure
  • Centralized access control

Security Best Practices

Rule Design Principles

1

Start Restrictive

Begin with the most restrictive rules and gradually open access as needed

2

Document Purpose

Add clear descriptions to rules explaining their purpose and requirements

3

Use Specific IPs

Avoid 0.0.0.0/0 unless public access is truly required

4

Regular Review

Periodically audit rules and remove unnecessary access

Common Security Mistakes

Avoid These Common Errors:

  • Overly Broad Access: Using 0.0.0.0/0 for internal services
  • Unnecessary Ports: Opening ports that aren’t actively used
  • Missing SSH Restrictions: Allowing SSH from any IP address
  • Ignoring Egress: Not controlling outbound traffic
  • Poor Documentation: Rules without clear purpose or ownership

Rule Testing and Validation

Remember that firewall rules may take up to 10 minutes to be fully applied after creation. Plan rule changes during maintenance windows to minimize service disruption.

Start with restrictive rules and gradually open access as needed. It’s much safer to start with limited access and expand than to start with broad access and try to restrict later.