Create a cloud firewall

Last update: November 12 2024

Create a cloud firewall

carefully

A cloud firewall has a basic property: all inbound and outbound traffic that is not allowed is denied. If you create a firewall without rules and assign it to a cloud router port, all traffic on the router's subnet will be denied. After creating a firewall on the router, all active sessions will be terminated.

Control panel

1. В control panels go to Cloud platform → Firewalls.

2. Click Create a firewall.

3. Select pool This is where the firewall will be created.

4. Optional: Select a private subnet with the cloud router for which you want to configure traffic filtering. The firewall is assigned to the cloud router port on this private subnet.

   Assign a firewall to a router port you can after you create a firewall.

5. Select the direction of traffic:

Incoming traffic

6. If templates with rules for incoming traffic Click on the rule. The Protocol, Source, Source Port, Traffic Destination, and Destination Port fields will be filled in automatically. Proceed to step 14.

7. If there is no suitable template, add your own rule for incoming traffic. Click Add an incoming traffic rule.

8. Select an action:

   • Allow — Allow traffic;
   • Deny — Deny traffic.

9. Select a protocol: ICMP, TCP, UDP or All (Any).

10. Enter the traffic source (Source) — IP address, subnet, or all addresses (Any).

11. Enter the source port (Src. port) — a single port, a range of ports, or all ports (Any).

12. Enter the Destination — IP address, subnet, or Any. If you specify a subnet, the rule applies to all devices on the subnet.

13. Enter the destination port (Dst. port) — a single port, a range of ports, or all ports (Any).

    Traffic to any TCP/UDP port blocked in Selectel by default, will be denied even if you specify that port in the rule.

14. Enter a name for the rule or leave the name created automatically.

15. Optional: enter a comment for the rule.

16. Click Add. After creating a firewall, you can change the rule.

Outgoing traffic

6. If templates with rules for outbound traffic Click on the rule. The Protocol, Source, Source Port, Traffic Destination, and Destination Port fields will be filled in automatically. Proceed to step 14.

7. If there is no suitable template, add your own rule for outbound traffic. Click Add an outbound traffic rule.

8. Select an action:

   • Allow — Allow traffic;
   • Deny — deny traffic.

9. Select a protocol: ICMP, TCP, UDP or All (Any).

10. Enter the traffic source (Source) — IP address, subnet, or All (Any). If you specify a subnet, the rule applies to all devices on the subnet.

11. Enter the source port (Src. port) — a single port, a range of ports, or all ports (Any).

12. Enter the traffic destination (Destination) — IP address, subnet, or Any.

13. Enter the destination port (Dst. port) — a single port, a range of ports, or all ports (Any).

    Traffic to any TCP/UDP port blocked in Selectel by default, will be denied even if you specify that port in the rule.

14. Enter a name for the rule or leave the name created automatically.

15. Optional: enter a comment for the rule.

16. Click Add. After creating the firewall, you can change the rule.

17. Check the order of the rules, they are executed in order in the list — from top to bottom. If necessary, change the order by dragging and dropping the rules. After creating the firewall, you can reorder.
18. Optional: To add another rule to the firewall, go to step 5. you can add up to 100 rules per traffic direction.
19. Enter the name of the firewall or leave the name created automatically.
20. Optional: enter a comment for the firewall.
21. Click Create a firewall.

OpenStack CLI

1. Open the OpenStack CLI.

2. Create a rule:

   openstack firewall group rule create \
       --action <action> \
       --protocol <protocol> \
       [--source-ip-address <source_ip_address> | --no-source-ip-address] \
       [--source-port <source_port> | --no-source-port] \
       [--destination-ip-address <destination_ip_address> | --no-destination-ip-address] \
       [--destination-port <destination_port> | --no-destination-port]

   Specify:

   • <action> — action:

     • allow — allow traffic;
     • deny — deny traffic;

   • <protocol> — Protocol:

     • icmp — ICMP;
     • tcp — TCP;
     • udp — UDP;
     • any — all the protocols;

   • traffic source:

     • --source-ip-address <source_ip_address> — IP address or subnet. If you specify a subnet and assign this rule to an outbound policy, the rule will apply to all devices on the subnet;
     • --no-source-ip-address — all addresses (Any);

   • source port:

     • --source-port <source_port> — a single port or a range of ports;
     • --no-source-port — all ports (Any);

   • traffic assignment:

     • --destination-ip-address <destination_ip_address> — IP address or subnet. If you specify a subnet and assign this rule to a policy for inbound traffic, the rule will apply to all devices on the subnet;
     • --no-destination-ip-address — all addresses (Any);

   • port of call:

     • --destination-port <destination_port> — a single port or a range of ports;
     • --no-destination-port — all ports (Any).

     Traffic to any TCP/UDP port blocked in Selectel by default, will be denied even if you specify that port in the rule.

3. Create a policy for the firewall:

   openstack firewall group policy create \
       --firewall-rule <firewall_rule> \
       <policy_name>

   Specify:

   • <firewall_rule> — ID or name of the rule. The list can be viewed with openstack firewall group rule list. To add multiple rules, separate their names or IDs with a space. Check the order of the rules, they are executed in order;
   • <policy_name> — the name of the policy.

4. Create a firewall:

   openstack firewall group create \
       [--ingress-firewall-policy <firewall_ingress_policy> | --no-ingress-firewall-policy] \
       [--egress-firewall-policy <firewall_egress_policy> | --no-egress-firewall-policy] \
       --port <router_port>

   Specify:

   • policy for inbound traffic:
     • --ingress-firewall-policy <firewall_ingress_policy> — ID or policy name for incoming traffic. The list can be viewed by openstack firewall group policy list. You can add only one policy for inbound traffic;
     • --no-ingress-firewall-policy — Specify if there is no policy for inbound traffic;
   • policy for outbound traffic:
     • --egress-firewall-policy <firewall_egress_policy> — ID or policy name for outbound traffic. The list can be viewed by openstack firewall group policy list. You can add only one policy for outbound traffic;
     • --no-egress-firewall-policy — Specify if there is no policy for outgoing traffic;
   • <router_port> — The ID or port name of the router to which the firewall will be assigned. You can view the list by openstack port list. To assign a firewall to more than one router port, list their names or IDs separated by a space.

Terraform

Use the instructions in the Terraform documentation:

• Create a cloud firewall;
• Example of building an infrastructure with a cloud firewall.