/
Firewalls

Firewalls

Feature overview

The Firewall feature lets you control which network connections are allowed to and from your virtual machines (VMs) using simple “allow” rules. A firewall resource is just a collection of rules. Each rule has:

  • Direction: inbound or outbound

  • Target addresses: an address group such as a specific IP, a CIDR range, or “All”

  • Service: protocol (TCP, UDP, ICMP) and optionally a port or port range

You can attach one or more firewalls to a VM.

Note the following concepts of rules application:

  • When multiple firewalls are attached, their allow rules combine in a permissive way.

  • If there is only a single firewall and it has no rules, all traffic is blocked by default.

  • With multiple firewalls, even if one is empty, any allow rules from the others still apply.

  • Example 1: Empty + inbound HTTP

    • f1: no rules

    • f2: allow inbound TCP 80 from any

    • Result: Only inbound TCP 80 is allowed. Everything else is blocked.

  • Example 2:

    • f1: allow inbound TCP 22 from 10.0.0.0/8

    • f2: allow inbound TCP 22 from 192.168.1.10

    • Result: Inbound SSH is allowed from both the 10.0.0.0/8 range and 192.168.1.10. Everything else is blocked.

 

How rules are evaluated

  • Inbound rules specify the source addresses that may reach the VM on the given service.

  • Outbound rules specify the destination addresses the VM may reach on the given service.

    • Note that there is no implicit nor default rule to allow outgoing connections (though when you create a new Firewall from Web UI, one is pre-filled for convenience)

  • Multiple attached firewalls = union of all allow rules.