Skip to main content

Cloud Firewall

Cloud Firewall is a free-of-charge firewall that allows you to configure network security for private subnets and public floating IP addresses in the cloud platform.

Cloud Firewall operates in a stateful mode, which tracks the state of sessions. If traffic has passed through a port and a session has been established, return traffic within that session will pass even without a rule.

You can work with Cloud Firewall in the control panel, using the OpenStack CLI or Terraform.

Cloud Firewall filters only traffic passing through the cloud router port; for more details, see the Filtered traffic subsection. If traffic arrives directly at the cloud server port, it cannot be filtered by a firewall; to filter such traffic, use security groups.

Cloud Firewall supports user types and roles.

Records of Cloud Firewall operations are saved in audit logs.

Filtered traffic

With the firewall, you can configure IPv4 traffic filtering for a private subnet, open and close specific ports or their ranges, and allow or deny access from specific IP addresses or subnets.

What traffic is filtered

Cloud Firewall filters all IPv4 traffic passing through the cloud router port to which it is assigned:

  • inbound traffic to a private subnet from another private subnet. Private subnets must belong to different private networks:
note

For example, private subnet 192.168.0.0/24 is in private network network_1, and private subnet 10.0.0.0/24 is in private network network_2. Traffic between devices in these subnets will be filtered.

Read more about private networks and subnets in the Cloud Platform Networks guide;

  • incoming traffic to a private subnet from the Internet, directed to the public floating IP addresses of devices (cloud servers and load balancers) that are associated with their private address via 1:1 NAT;
  • outbound traffic — traffic from a private subnet to the Internet or another private subnet.

What traffic is not filtered

  • traffic between devices within a private subnet;

  • traffic between devices from different private subnets within the same private network:

note

For example, private subnet 192.168.0.0/24 and private subnet 10.0.0.0/24 are in the same private network network_1. Traffic between devices in these subnets will not be filtered.

  • traffic for public subnets and direct public IP addresses. Such addresses are assigned directly to devices, and traffic does not pass through the cloud router port.

How it works

Cloud Firewall is not a separate device. It is assigned to the internal port of a cloud router in a private subnet connected to that router. A firewall can be reused and assigned to multiple router ports simultaneously. You cannot assign more than one firewall to a single router port.

The firewall uses the added filtering rules to analyze and filter traffic: incoming traffic passing to a private subnet through a cloud router, and traffic originating from that subnet. Firewall rules do not apply to a cloud server or load balancer directly, but to an IP address. If you have connected a different public floating IP address to a device or recreated it with a different public floating IP, update the IP address in the rule to keep the traffic filtered.

Cloud Firewall uses the OpenStack model:

  • Firewall Groups (firewalls) contain policies. A single firewall can contain only one ingress policy for inbound traffic and one egress policy for outbound traffic;
  • Firewall Policies (firewall policies) are lists of firewall rules in a specific order;
  • Firewall Rules are a set of parameters used to filter traffic: protocols, IP addresses, and ports. Rules are executed in the order they are specified. Read more about rules and parameters in the Rules subsection.

Read more about the OpenStack model in the FWaaS section of the OpenStack documentation.

When filtering traffic between private subnets connected to the same router, the rules of the firewall assigned to the router port on that subnet are applied to outgoing traffic. If rules for inbound traffic from the first subnet are configured for the firewall in the other subnet, they are ignored.

Rules

Two policies (two lists of rules in a specific order) are configured for the cloud firewall — one for inbound and one for outbound traffic.

Rules are processed in the order they appear in the list, from top to bottom. If the first rule allows traffic to pass, it will be permitted, even if a deny rule is configured in the rules below.

The firewall analyzes traffic based on the following parameters in the rules:

  • traffic direction (policy) — inbound or outbound;
  • allow or deny traffic;
  • protocol — TCP, UDP, and ICMP protocols are supported;
  • source — IP address or subnet of the traffic source;
  • source port — port or range of ports of the traffic source;
  • destination — IP address or subnet of the traffic destination;
  • destination port — port or range of ports of the traffic destination.

Cloud Firewall has a basic property: all inbound and outbound traffic that is not explicitly allowed is denied. For example, if you create a firewall with no rules and assign it to a cloud router port, then until you add allow rules, traffic entering the private subnet connected to the router and traffic originating from that subnet will be denied.

Firewall policies and rules can be reused only when working via the OpenStack CLI and Terraform — they can be assigned to multiple firewalls (Firewall Groups) simultaneously. In the control panel, you can use pre-configured templates with rules for traffic filtering, such as opening port 22 (SSH/TCP), port 80 (HTTP/TCP), port 443 (HTTPS/TCP), port 1194 (OpenVPN/UDP), port 3389 (RDP/TCP), ports 20-21 (FTP/TCP); opening standard ports for IPsec or WireGuard, and other rules.

Limitations

You cannot assign more than one firewall to a single router port.

In one project, you can create up to 10 firewalls. One firewall can contain two policies, one for each traffic direction. One policy can contain up to 100 rules.

If you have configured NAT (port forwarding), the forwarding is performed first, and then the firewall rules are applied.

In Servercore, some TCP/UDP ports are blocked by default.

Pricing

Cloud Firewall is free of charge.