Skip to main content
Firewall rules define what network traffic is allowed to and from your virtual machines.

Rule Components

Each firewall rule consists of several components that work together to control network traffic:

Traffic Direction

Direction Control
  • Ingress: Incoming traffic to your VM
  • Egress: Outgoing traffic from your VM
  • Rules can be specific to direction
  • Different rules may apply for each direction

Protocol Specification

Protocol Types
  • TCP: Reliable connection-based protocols
  • UDP: Connectionless, fast protocols
  • ICMP: Network diagnostic and control messages
  • Protocol determines available configuration options

Core Rule Elements

  • Direction
  • Protocol
  • IP Version
Traffic Flow ControlIngress (Incoming)
  • Controls traffic coming into your VM
  • Typical for services your VM provides
  • Examples: Web servers, databases, SSH access
  • Source IP restrictions apply to incoming connections
Egress (Outgoing)
  • Controls traffic leaving your VM
  • Typical for services your VM consumes
  • Examples: API calls, database connections, internet access
  • Destination IP restrictions apply to outgoing connections

Adding Firewall Rules

To add a rule to an existing firewall:
1

Access Rule Management

From the firewall details page or click “Add Rule” button on firewall card
2

Configure Direction

Select traffic direction:
  • Ingress: For incoming traffic (most common)
  • Egress: For outgoing traffic
3

Select Protocol

Choose the appropriate protocol:
  • TCP: For web services, SSH, databases
  • UDP: For DNS, streaming, real-time applications
  • ICMP: For ping and network diagnostics
4

Set IP Version

Choose IP version:
  • IPv4: Standard choice for most applications
  • IPv6: For modern applications requiring IPv6
5

Configure IP Range

Enter remote IP range in CIDR format:
  • Specific IP: 203.0.113.1/32
  • IP Range: 192.168.1.0/24
  • All IPs: 0.0.0.0/0 (IPv4) or ::/0 (IPv6)
6

Set Port Range (TCP/UDP only)

For TCP and UDP protocols, specify port ranges:
  • Single Port: Set both min and max to same value
  • Port Range: Set minimum and maximum ports
  • Port Numbers: Must be between 1 and 65535
7

Save Rule

Click “Add Rule” to save the configuration

Port Range Specifications

For TCP and UDP protocols, you must configure port access:

Port Configuration Requirements

Port Range Rules:
  • Port numbers must be between 1 and 65535
  • Minimum port must be less than or equal to maximum port
  • Both minimum and maximum ports must be specified together
  • For single port access, set both minimum and maximum to the same value
  • Port ranges are not applicable for ICMP protocol

Common Port Configurations

  • Single Ports
  • Port Ranges
  • Well-Known Ports
Specific Service Ports
ServiceProtocolPortMin/Max Setting
SSHTCP22Min: 22, Max: 22
HTTPTCP80Min: 80, Max: 80
HTTPSTCP443Min: 443, Max: 443
MySQLTCP3306Min: 3306, Max: 3306
PostgreSQLTCP5432Min: 5432, Max: 5432
RedisTCP6379Min: 6379, Max: 6379

IP Range Validation

Remote IP ranges must follow CIDR notation for proper network specification:

IPv4 CIDR Examples

203.0.113.1/32
# Allows access from exactly one IP address

IPv6 CIDR Examples

2001:db8::1/128
# Allows access from exactly one IPv6 address

CIDR Validation Rules

IPv4 Address Requirements
  • Address parts must be 0-255 (e.g., 192.168.1.100)
  • CIDR prefix must be 0-32 (e.g., /24, /16, /8)
  • Valid format: xxx.xxx.xxx.xxx/prefix
  • Cannot use broadcast or network addresses in single IP specifications
IPv6 Address Requirements
  • Must follow standard IPv6 format (e.g., 2001:db8::1)
  • CIDR prefix must be 0-128 (e.g., /64, /32, /128)
  • Supports compressed notation (:: for consecutive zeros)
  • Valid format: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/prefix

Common Rule Configurations

Web Server Rules

  • Basic Web Server
  • API Server
HTTP/HTTPS Traffic
PurposeDirectionProtocolPortRemote IPUse Case
Public HTTPIngressTCP800.0.0.0/0Public website
Public HTTPSIngressTCP4430.0.0.0/0Secure website
SSH AccessIngressTCP22Your IP/32Server management
Health CheckIngressTCP80Load balancer IPMonitoring

Database Server Rules

MySQL Server Protection
Rule PurposeConfigurationSecurity Notes
Application AccessIngress TCP 3306 from app serversRestrict to app server IPs only
Admin AccessIngress TCP 3306 from admin IPsUse VPN or bastion host
Backup AccessIngress TCP 3306 from backup serverDedicated backup network preferred
SSH ManagementIngress TCP 22 from admin IPsEssential for server management
PostgreSQL Server Protection
Rule PurposeConfigurationSecurity Notes
Application AccessIngress TCP 5432 from app serversRestrict to application subnet
ReplicationIngress TCP 5432 from replica IPsMaster-slave replication
MonitoringIngress TCP 5432 from monitoringDatabase performance monitoring
SSH ManagementIngress TCP 22 from admin IPsServer administration

Application-Specific Rules

  • Jupyter Notebook
  • Docker Registry
  • Monitoring Services
Data Science Environment
Purpose: Jupyter Web Interface
Direction: Ingress
Protocol: TCP
Port: 8888
Remote IP: Your IP address or trusted network
Security: Use strong password and HTTPS

Network Diagnostic Rules

ICMP Rules

Network DiagnosticsPing Access:
  • Direction: Ingress
  • Protocol: ICMP
  • IP Range: Your network or 0.0.0.0/0
  • Use: Network connectivity testing
Traceroute Support:
  • Essential for network troubleshooting
  • Helps diagnose connectivity issues
  • Useful for performance analysis

Management Access

Administrative AccessSSH Access:
  • Direction: Ingress
  • Protocol: TCP
  • Port: 22
  • IP Range: Admin IPs only
  • Use: Secure server management
VPN Access:
  • Consider VPN for enhanced security
  • Reduces public IP exposure
  • Centralized access control

Security Best Practices

Rule Design Principles

1

Start Restrictive

Begin with the most restrictive rules and gradually open access as needed
2

Document Purpose

Add clear descriptions to rules explaining their purpose and requirements
3

Use Specific IPs

Avoid 0.0.0.0/0 unless public access is truly required
4

Regular Review

Periodically audit rules and remove unnecessary access

Common Security Mistakes

Avoid These Common Errors:
  • Overly Broad Access: Using 0.0.0.0/0 for internal services
  • Unnecessary Ports: Opening ports that aren’t actively used
  • Missing SSH Restrictions: Allowing SSH from any IP address
  • Ignoring Egress: Not controlling outbound traffic
  • Poor Documentation: Rules without clear purpose or ownership

Rule Testing and Validation

Validation Process
  • Test rules in development environment first
  • Use network diagnostic tools to verify connectivity
  • Monitor application logs for connection issues
  • Validate both allowed and blocked traffic
Common Debugging Steps
  • Check rule order and precedence
  • Verify CIDR notation is correct
  • Confirm protocol and port specifications
  • Test from source IP to verify access
  • Review firewall logs for blocked connections
Remember that firewall rules may take up to 10 minutes to be fully applied after creation. Plan rule changes during maintenance windows to minimize service disruption.
Start with restrictive rules and gradually open access as needed. It’s much safer to start with limited access and expand than to start with broad access and try to restrict later.
I