Firewalls
Control network access to your instances with powerful, flexible firewall rules.
What are Firewalls?
Firewalls provide network security by controlling inbound and outbound traffic to your instances:
- Rule-based Access: Define allowed and denied traffic
- IP Whitelisting: Restrict access by IP address
- Port Control: Open only necessary ports
- Multi-instance: Attach one firewall to multiple instances
- Stateful: Connection tracking for enhanced security
Key Features
🔒 Security
- Control inbound and outbound traffic
- IP-based access control
- Port and protocol filtering
- Default deny all approach
🎯 Flexibility
- Attach to multiple instances
- Support for CIDR blocks
- Custom port ranges
- Priority-based rule ordering
📊 Monitoring
- View active rules
- Track firewall status
- Audit rule changes
Getting Started
Create a Firewall
- Navigate to Firewalls in the main menu
- Click Create Firewall
- Enter a name and description
- Click Create Firewall
Add Firewall Rules
- Go to your firewall page
- Click Add Rule
- Configure the rule:
- Direction: Inbound or Outbound
- Action: Allow or Deny
- Protocol: TCP, UDP, or ICMP
- Port(s): Single port, range, or "all"
- Source/Destination: IP address or CIDR block
- Click Add Rule
Attach to Instances
- Go to your firewall page
- Click Attach to Instances
- Select instances to attach
- Click Attach
Firewall Rules
Rule Components
Each firewall rule has:
- Direction: Inbound (incoming) or Outbound (outgoing)
- Action: Allow or Deny
- Protocol: TCP, UDP, ICMP, or All
- Port(s): Port number, range, or "all"
- Source: IP address or CIDR (for inbound rules)
- Destination: IP address or CIDR (for outbound rules)
- Priority: Lower numbers = higher priority
Rule Examples
Allow SSH Access
- Direction: Inbound
- Action: Allow
- Protocol: TCP
- Port: 22
- Source: 0.0.0.0/0 (or your IP)
Allow HTTP/HTTPS
- Direction: Inbound
- Action: Allow
- Protocol: TCP
- Ports: 80, 443
- Source: 0.0.0.0/0
Allow PostgreSQL from Specific IP
- Direction: Inbound
- Action: Allow
- Protocol: TCP
- Port: 5432
- Source: 192.168.1.100/32
Allow All Outbound
- Direction: Outbound
- Action: Allow
- Protocol: All
- Port: All
- Destination: 0.0.0.0/0
Deny Outbound SMTP (Anti-spam)
- Direction: Outbound
- Action: Deny
- Protocol: TCP
- Port: 25
- Destination: 0.0.0.0/0
Common Configurations
Web Server
Inbound:
- Allow TCP 80 from 0.0.0.0/0
- Allow TCP 443 from 0.0.0.0/0
- Allow TCP 22 from your-ip/32
Outbound:
- Allow All to 0.0.0.0/0
Database Server
Inbound:
- Allow TCP 3306 from app-server-ip/32
- Allow TCP 22 from your-ip/32
Outbound:
- Allow All to 0.0.0.0/0
Redis Cache
Inbound:
- Allow TCP 6379 from app-server-subnet/24
- Allow TCP 22 from your-ip/32
Outbound:
- Allow All to 0.0.0.0/0
Development Server
Inbound:
- Allow TCP 22 from your-ip/32
- Allow TCP 80, 443 from 0.0.0.0/0
- Allow TCP 3000-4000 from your-ip/32
Outbound:
- Allow All to 0.0.0.0/0
IP Addressing
Single IP
Use /32 for a single IP address:
192.168.1.100/32
CIDR Blocks
Use CIDR notation for ranges:
192.168.1.0/24 # 192.168.1.0 - 192.168.1.255
10.0.0.0/16 # 10.0.0.0 - 10.0.255.255
Special Addresses
0.0.0.0/0 # All IPv4 addresses (anywhere)
your-ip/32 # Your specific IP only
10.0.0.0/8 # Private network range
Managing Firewalls
Edit Firewall
- Go to your firewall page
- Update name or description
- Click Save Changes
Add/Remove Rules
- Go to your firewall page
- Click Add Rule or Delete on existing rules
- Changes apply immediately
Attach/Detach Instances
- Go to your firewall page
- Use Attach to Instances or Detach buttons
- Changes apply in seconds
Delete Firewall
- Detach from all instances first
- Go to firewall page
- Click Delete Firewall
- Confirm deletion
Best Practices
Security
- Least Privilege: Only allow necessary traffic
- Specific IPs: Use specific IPs instead of 0.0.0.0/0 when possible
- SSH Access: Restrict SSH to your IP
- Regular Audits: Review rules regularly
- Defense in Depth: Use firewalls + application security
Organization
- Naming Convention: Use descriptive names (e.g., "web-prod-fw")
- Documentation: Add descriptions to rules
- Reusability: Create firewalls for common use cases
- Separation: Separate firewalls for different environments
Performance
- Minimal Rules: Use as few rules as needed
- Order Matters: Place common rules first
- CIDR Blocks: Use CIDR blocks instead of multiple single IPs
Troubleshooting
Cannot Connect to Instance
- Check firewall rules allow traffic
- Verify correct port is open
- Check source IP is allowed
- Review firewall attachment
Accidental Lockout
- Use web console access
- Detach firewall from instance
- Fix rules
- Re-attach firewall
Rules Not Working
- Check rule priority
- Verify protocol and port
- Ensure firewall is attached
- Review direction (inbound vs outbound)
Firewall Status
Statuses
- Active: Firewall is protecting instances
- Updating: Changes being applied
- Error: Issue with firewall configuration
Checking Status
- Go to your firewall page
- View status badge
- Check attached instances
Internal Instance Selection
Some instances can communicate privately:
Internal Sources
When creating rules, you can select:
- IP Addresses: Specific IPs or CIDR blocks
- Internal Instances: Other instances in your project
Benefits
- No need to remember IP addresses
- Automatic updates if instance IP changes
- Simplified management
Example
Allow database access from specific app servers:
- Create inbound rule for port 3306
- Select "Internal Instances" as source
- Choose your app server instances
- Click Add Rule
Advanced Features
Source-based Filtering
Route rules based on:
- IP address or CIDR
- Specific instances in your project
- Private network subnets
Port Ranges
Specify multiple ports:
22 # Single port
80,443 # Multiple ports
3000-4000 # Port range
Protocol Options
- TCP: Web, SSH, databases
- UDP: DNS, VPN
- ICMP: Ping, traceroute
- All: All protocols
Next Steps
Need help? Contact our support team through the dashboard.