Create a cloud firewall

Last update: June 11 2026

warning

A cloud firewall has a basic property: all incoming and outgoing traffic that is not allowed is denied. If you create a firewall without rules and assign it to a cloud router port, all traffic in the router subnet will be denied. After the firewall is created, all active sessions on the router will be interrupted.

Control panel

1. In the Control panel, on the top menu, click Products and select Cloud Servers.

2. Перейдите in раздел Файрволы.

3. Click Create firewall.

4. Select a location where the firewall will be created.

5. Optional: select a private subnet with a cloud router for which you want to configure traffic filtering. The firewall is assigned to the cloud router port in this private subnet.

   You can assign a firewall to a router port after the firewall is created.

6. Select the traffic direction:

Incoming traffic

7. If rule templates for incoming traffic work for you, click the rule. The protocol, source, source ports, destination, and destination port fields will be filled in automatically. Proceed to step 15.

8. If there is no suitable template, add your own rule for incoming traffic. Click Add incoming traffic rule.

9. Select an action:

   • Allow — allow traffic;
   • Deny — deny traffic.

10. Select a protocol: ICMP, TCP, UDP, or all protocols (Any).

11. Enter the traffic source (Source) — an IP address, a subnet, or all addresses (Any).

12. Enter the source port (Src. port) — a single port, a port range, or all ports (Any).

13. Enter the traffic destination (Destination) — an IP address, a subnet, or all addresses (Any). If you specify a subnet, the rule will apply to all devices in the subnet.

14. Enter the destination port (Dst. port) — a single port, a port range, or all ports (Any).

    Traffic to any TCP/UDP port blocked in Selectel by default will be denied, even if you specify this port in the rule.

15. Enter a firewall rule name or leave the name that was created automatically.

16. Optional: enter a comment for the rule.

17. Click Add. After the firewall is created, you can edit the rule.

Outgoing traffic

7. If rule templates for outgoing traffic work for you, click the rule. The protocol, source, source ports, destination, and destination port fields will be filled in automatically. Proceed to step 15.

8. If there is no suitable template, add your own rule for outgoing traffic. Click Add outgoing traffic rule.

9. Select an action:

   • Allow — allow traffic;
   • Deny — deny traffic.

10. Select a protocol: ICMP, TCP, UDP, or all protocols (Any).

11. Enter the traffic source (Source) — an IP address, a subnet, or all addresses (Any). If you specify a subnet, the rule will apply to all devices in the subnet.

12. Enter the source port (Src. port) — a single port, a port range, or all ports (Any).

13. Enter the traffic destination (Destination) — an IP address, a subnet, or all addresses (Any).

14. Enter the destination port (Dst. port) — a single port, a port range, or all ports (Any).

    Traffic to any TCP/UDP port blocked in Selectel by default will be denied, even if you specify this port in the rule.

15. Enter a firewall rule name or leave the name that was created automatically.

16. Optional: enter a comment for the rule.

17. Click Add. After the firewall is created, you can edit the rule.

18. Check the rule order; they are executed in the order they appear in the list, from top to bottom. If necessary, change the order by dragging the rules. After the firewall is created, you can change the rule order.
19. Optional: to add another rule to the firewall, go to step 6. You can add up to 100 rules for each traffic direction.
20. Enter a firewall name or leave the name that was created automatically.
21. Optional: enter a comment for the firewall.
22. Click Create firewall.

OpenStack CLI

1. Open the OpenStack CLI.

2. Create a rule:

   openstack firewall group rule create \
       --action <action> \
       --protocol <protocol> \
       [--source-ip-address <source_ip_address> | --no-source-ip-address] \
       [--source-port <source_port> | --no-source-port] \
       [--destination-ip-address <destination_ip_address> | --no-destination-ip-address] \
       [--destination-port <destination_port> | --no-destination-port]

   Specify:

   • <action> — action:

     • allow — разрешить трафик;
     • deny — отклонить трафик;

   • <protocol> — protocol:

     • icmp — ICMP;
     • tcp — TCP;
     • udp — UDP;
     • any — все протоколы;

   • traffic source:

     • --source-ip-address <source_ip_address> — IP address or subnet. If you specify a subnet and assign this rule to an outgoing traffic policy, the rule will apply to all devices in the subnet;
     • --no-source-ip-address — all addresses (Any);

   • source port:

     • --source-port <source_port> — a single port or a port range;
     • --no-source-port — all ports (Any);

   • traffic destination:

     • --destination-ip-address <destination_ip_address> — IP address or subnet. If you specify a subnet and assign this rule to an incoming traffic policy, the rule will apply to all devices in the subnet;
     • --no-destination-ip-address — all addresses (Any);

   • destination port:

     • --destination-port <destination_port> — a single port or a port range;
     • --no-destination-port — all ports (Any).

     Traffic to any TCP/UDP port blocked in Selectel by default will be denied, even if you specify this port in the rule.

3. Create a firewall policy:

   openstack firewall group policy create \
       --firewall-rule <firewall_rule> \
       <policy_name>

   Specify:

   • <firewall_rule> — rule ID or name. You can view the list using the openstack firewall group rule list command. To add multiple rules, separate their names or IDs with a space. Check the rule order; they are executed in the order they appear;
   • <policy_name> — policy name.

4. Create a firewall:

   openstack firewall group create \
       [--ingress-firewall-policy <firewall_ingress_policy> | --no-ingress-firewall-policy] \
       [--egress-firewall-policy <firewall_egress_policy> | --no-egress-firewall-policy] \
       --port <router_port>

   Specify:

   • incoming traffic policy:
     • --ingress-firewall-policy <firewall_ingress_policy> — incoming traffic policy ID or name. You can view the list using the openstack firewall group policy list command. You can add only one incoming traffic policy;
     • --no-ingress-firewall-policy — specify this if there is no incoming traffic policy;
   • outgoing traffic policy:
     • --egress-firewall-policy <firewall_egress_policy> — outgoing traffic policy ID or name. You can view the list using the openstack firewall group policy list command. You can add only one outgoing traffic policy;
     • --no-egress-firewall-policy — specify this if there is no outgoing traffic policy;
   • <router_port> — router port ID or name to which the firewall will be assigned. You can view the list using the openstack port list command. To assign a firewall to multiple router ports, list their names or IDs separated by a space.

Terraform

Use the instructions in the Terraform documentation:

• Create a cloud firewall;
• Example of building infrastructure with a cloud firewall.