Skip to main content

Cloud Firewall

Last update:

Cloud Firewall is a free-to-use firewall that allows you to configure network security for private subnets and public IP addresses in the cloud platform.

Cloud Firewall operates in a stateful mode, which tracks the state of sessions. If traffic has passed through a port and a session has been established, return traffic within that session will pass even without a rule.

You can work with Cloud Firewall in the control panel, using OpenStack CLI or Terraform.

Cloud Firewall filters only traffic passing through a cloud router port; for more details, see the Filtered traffic subsection. If traffic arrives directly at a cloud server port, it cannot be filtered using the firewall; for such traffic, use security groups or operating system utilities, such as iptables. For more information, see the blog post Configuring iptables in Linux.

Cloud Firewall supports user roles and types.

Records of Cloud Firewall operations are saved in audit logs.

Filtered traffic

With the firewall, you can configure IPv4 traffic filtering for a private subnet, open and close specific ports or their ranges, and allow or deny access from specific IP addresses or subnets.

What traffic is filtered

Cloud Firewall filters all IPv4 traffic passing through the cloud router port to which it is assigned:

  • inbound traffic to a private subnet from another private subnet. Private subnets must belong to different private networks:
note

For example, private subnet 192.168.0.0/24 is in private network network_1, and private subnet 10.0.0.0/24 is in private network network_2. Traffic between devices in these subnets will be filtered.

For more information about private networks and subnets, see the instructions in Cloud Platform Networks;

  • inbound traffic to a private subnet from the Internet, destined for the public IP addresses of devices (cloud servers and load balancers) associated with their private address via NAT 1:1;
  • outbound traffic — traffic from a private subnet to the Internet or another private subnet.

What traffic is not filtered

  • traffic between devices within a private subnet;

  • traffic between devices from different private subnets within the same private network:

note

For example, private subnet 192.168.0.0/24 and private subnet 10.0.0.0/24 are in the same private network network_1. Traffic between devices in these subnets will not be filtered.

  • traffic for public subnets. Public addresses from such subnets are assigned directly to devices, and traffic does not pass through the cloud router port.

How it works

Cloud Firewall is not a separate device. It is assigned to the internal port of a cloud router in a private subnet connected to that router. A firewall can be reused and assigned to multiple router ports simultaneously. You cannot assign more than one firewall to a single router port.

The firewall analyzes and filters filtering rules traffic traffic: inbound traffic passing into the private subnet through the cloud router, and traffic originating from that subnet. Firewall rules apply to the IP address, not to a specific cloud server or load balancer. If you connect a different public IP address to a device or recreate it with a different public IP, you must update the IP address in the rule for traffic to continue being filtered.

Cloud Firewall uses the OpenStack model:

  • Firewall Groups (firewalls) contain policies. A single firewall can contain only one ingress policy for inbound traffic and one egress policy for outbound traffic;
  • Firewall Policies (firewall policies) are lists of firewall rules in a specific order;
  • Firewall Rules (firewall rules) are a set of parameters used to filter traffic: protocols, IP addresses, and ports. Rules are executed in the specified order. For more information on rules and parameters, see the Rules subsection.

For more information on the OpenStack model, see the FWaaS section of the OpenStack documentation.

Example of a network with a cloud firewall that filters traffic to a private subnet from the Internet and traffic from the subnet to the Internet

Example of a network with two cloud firewalls on one cloud router that filter traffic between two private subnets

When filtering traffic between private subnets connected to the same router, the rules of the firewall assigned to the router port on that subnet are applied to outgoing traffic. If rules for inbound traffic from the first subnet are configured for the firewall in the other subnet, they are ignored.

note

For example, for firewall 1, an allow rule is created for outbound traffic from subnet 192.168.0.0/24 to any subnet. Even if firewall 2 in subnet 10.10.0.0/24 has a deny rule for inbound traffic from subnet 192.168.0.0/24, it will be ignored. To deny access to subnet 10.10.0.0/24 from subnet 192.168.0.0/24, you must create a deny rule for outbound traffic to this subnet on firewall 1.

Rules

Two policies (two lists of rules in a specific order) are configured for the cloud firewall — one for inbound and one for outbound traffic.

Rules are processed in the order they appear in the list, from top to bottom. If the first rule allows traffic to pass, it will be permitted, even if a deny rule is configured in the rules below.

The firewall analyzes traffic based on the following parameters in the rules:

  • traffic direction (policy) — inbound or outbound;
  • allow or deny traffic;
  • protocol — TCP, UDP, and ICMP protocols are supported;
  • source — IP address or subnet of the traffic source;
  • source port — port or range of ports of the traffic source;
  • destination — IP address or subnet of the traffic destination;
  • destination port — port or range of ports of the traffic destination.

Cloud Firewall has a basic property: all inbound and outbound traffic that is not explicitly allowed is denied. For example, if you create a firewall with no rules and assign it to a cloud router port, then until you add allow rules, traffic entering the private subnet connected to the router and traffic originating from that subnet will be denied.

Firewall policies and rules can be reused only when working via the OpenStack CLI and Terraform — they can be assigned to multiple firewalls (Firewall Groups) simultaneously. In the control panel, you can use pre-configured templates with rules for traffic filtering, such as opening port 22 (SSH/TCP), port 80 (HTTP/TCP), port 443 (HTTPS/TCP), port 1194 (OpenVPN/UDP), port 3389 (RDP/TCP), ports 20-21 (FTP/TCP); opening standard ports for IPsec or WireGuard, and other rules.

Limitations

You cannot assign more than one firewall to a single router port.

In one project you can create no more than 10 firewalls. A single firewall contains two policies, one for each traffic direction. A single policy contains no more than 100 rules.

If you have configured NAT (port forwarding), port forwarding is performed first, followed by firewall rules.

In Selectel, some TCP/UDP ports are blocked by default.

Pricing

Cloud Firewall is free of charge.