search

Firewalls

Firewalls for instances or nodes

Firewalls control network access to instances and optionally nodes. Roles are used to apply firewalls to instances and nodes. For instances the firewall must be in the same organization and have at least one matching role. For nodes the firewall must be in the organization that is labeled Node Firewall internally this is a null organization value and have a matching role. Additionally the Node Firewall option must be enabled in the node settings. Multiple firewalls can be applied to the same instance or node. To view what firewall rules are being applied to an instance hover over the Firewall Rules in the instance information.

hashtag
Pod Firewall Rules

Firewall rules can also be controlled by pod unit specs. These rules will not be shown in the firewalls tab but will be shown on the Firewall Rules hover option in the instance information. Firewall rules in the spec can use IPv4/IPv6 subnets or unit resource references such as +/unit/web-example as shown below. In the examples below web traffic is open to all IP addresses and a database server allows database traffic to units named web-example. Unit references cannot be used when creating firewall rules in the firewalls section.

---
name: nginx-firewall
kind: firewall
ingress:
    - protocol: tcp
      port: 80
      source:
        - 0.0.0.0/0
    - protocol: tcp
      port: 443
      source:
        - 0.0.0.0/0

---
name: mongo-firewall
kind: firewall
ingress:
    - protocol: tcp
      port: 27017
      source:
        - +/unit/web-example

hashtag
Default Instance Firewall

Below is the default firewall that is created on installation. To apply this to an instance include the instance role when creating the instance. This includes the following rules.

hashtag
Default Node Firewall

Below is the default firewall that is created on installation. This includes the following rules.

PreviousPodsNextAuthorities

Last updated