Skip to main content

Cloud Firewall

Cloud Firewall is a free-to-use firewall that allows you to configure network security for private subnets and public IP addresses in the cloud platform.

Cloud Firewall operates in a stateful mode, which tracks the state of sessions. If traffic has passed through a port and a session has been established, return traffic within that session will pass even without a rule.

You can work with Cloud Firewall in the control panel, using OpenStack CLI or Terraform.

Cloud Firewall filters only traffic passing through a cloud router port; for more details, see the Filtered traffic subsection. If traffic arrives directly at a cloud server port, it cannot be filtered using the firewall; for such traffic, use security groups.

Cloud Firewall supports user roles and types.

Records of Cloud Firewall operations are saved in audit logs.

Filtered traffic

With the firewall, you can configure IPv4 traffic filtering for a private subnet, open and close specific ports or their ranges, and allow or deny access from specific IP addresses or subnets.

What traffic is filtered

Cloud Firewall filters all IPv4 traffic passing through the cloud router port to which it is assigned:

  • inbound traffic to a private subnet from another private subnet. Private subnets must belong to different private networks:
note

For example, private subnet 192.168.0.0/24 is in private network network_1, and private subnet 10.0.0.0/24 is in private network network_2. Traffic between devices in these subnets will be filtered.

For more information about private networks and subnets, see the instructions in Cloud Platform Networks;

  • inbound traffic to a private subnet from the Internet, destined for the public IP addresses of devices (cloud servers and load balancers) associated with their private address via NAT 1:1;
  • outbound traffic — traffic from a private subnet to the Internet or another private subnet.

What traffic is not filtered

  • traffic between devices within a private subnet;

  • traffic between devices from different private subnets within the same private network:

note

For example, private subnet 192.168.0.0/24 and private subnet 10.0.0.0/24 are in the same private network network_1. Traffic between devices in these subnets will not be filtered.

  • traffic for public subnets. Public addresses from such subnets are assigned directly to devices, and traffic does not pass through the cloud router port.

How it works

Cloud Firewall is not a separate device. It is assigned to the internal port of a cloud router in a private subnet connected to that router. A firewall can be reused and assigned to multiple router ports simultaneously. You cannot assign more than one firewall to a single router port.

The firewall analyzes and filters filtering rules traffic traffic: inbound traffic passing into the private subnet through the cloud router, and traffic originating from that subnet. Firewall rules apply to the IP address, not to a specific cloud server or load balancer. If you connect a different public IP address to a device or recreate it with a different public IP, you must update the IP address in the rule for traffic to continue being filtered.

Cloud Firewall uses the OpenStack model:

  • Firewall Groups (firewalls) contain policies. A single firewall can contain only one ingress policy for inbound traffic and one egress policy for outbound traffic;
  • Firewall Policies (firewall policies) are lists of firewall rules in a specific order;
  • Firewall Rules (firewall rules) are a set of parameters used to filter traffic: protocols, IP addresses, and ports. Rules are executed in the specified order. For more information on rules and parameters, see the Rules subsection.

For more information on the OpenStack model, see the FWaaS section of the OpenStack documentation.

When filtering traffic between private subnets connected to the same router, the rules of the firewall assigned to the router port on that subnet are applied to outgoing traffic. If rules for inbound traffic from the first subnet are configured for the firewall in the other subnet, they are ignored.

Rules

Two policies (two lists of rules in a specific order) are configured for the cloud firewall — one for inbound and one for outbound traffic.

Rules are processed in the order they appear in the list, from top to bottom. If the first rule allows traffic to pass, it will be permitted, even if a deny rule is configured in the rules below.

The firewall analyzes traffic based on the following parameters in the rules:

  • traffic direction (policy) — inbound or outbound;
  • allow or deny traffic;
  • protocol — TCP, UDP, and ICMP protocols are supported;
  • source — IP address or subnet of the traffic source;
  • source port — port or range of ports of the traffic source;
  • destination — IP address or subnet of the traffic destination;
  • destination port — port or range of ports of the traffic destination.

Cloud Firewall has a basic property: all inbound and outbound traffic that is not explicitly allowed is denied. For example, if you create a firewall with no rules and assign it to a cloud router port, then until you add allow rules, traffic entering the private subnet connected to the router and traffic originating from that subnet will be denied.

Firewall policies and rules can be reused only when working via the OpenStack CLI and Terraform — they can be assigned to multiple firewalls (Firewall Groups) simultaneously. In the control panel, you can use pre-configured templates with rules for traffic filtering, such as opening port 22 (SSH/TCP), port 80 (HTTP/TCP), port 443 (HTTPS/TCP), port 1194 (OpenVPN/UDP), port 3389 (RDP/TCP), ports 20-21 (FTP/TCP); opening standard ports for IPsec or WireGuard, and other rules.

Limitations

You cannot assign more than one firewall to a single router port.

In one project you can create no more than 10 firewalls. A single firewall contains two policies, one for each traffic direction. A single policy contains no more than 100 rules.

If you have configured NAT (port forwarding), port forwarding is performed first, followed by firewall rules.

In Servercore, some TCP/UDP ports are blocked by default.

Pricing

Cloud Firewall is free of charge.