Firewalls
Firewalls for instances or nodes
Firewalls control network access to instances and optionally nodes. Roles are used to apply firewalls to instances and nodes. For instances the firewall must be in the same organization and have at least one matching role. For nodes the firewall must be in the organization that is labeled Node Firewall internally this is a null organization value and have a matching role. Additionally the Node Firewall option must be enabled in the node settings. Multiple firewalls can be applied to the same instance or node. To view what firewall rules are being applied to an instance hover over the Firewall Rules in the instance information.
Pod Firewall Rules
Firewall rules can also be controlled by pod unit specs. These rules will not be shown in the firewalls tab but will be shown on the Firewall Rules hover option in the instance information. Firewall rules in the spec can use IPv4/IPv6 subnets or unit resource references such as +/unit/web-example as shown below. In the examples below web traffic is open to all IP addresses and a database server allows database traffic to units named web-example. Unit references cannot be used when creating firewall rules in the firewalls section.
---
name: nginx-firewall
kind: firewall
ingress:
- protocol: tcp
port: 80
source:
- 0.0.0.0/0
- protocol: tcp
port: 443
source:
- 0.0.0.0/0
---
name: mongo-firewall
kind: firewall
ingress:
- protocol: tcp
port: 27017
source:
- +/unit/web-exampleDefault Instance Firewall
Below is the default firewall that is created on installation. To apply this to an instance include the instance role when creating the instance. This includes the following rules.
22/tcp - SSH
80/tcp - HTTP
443/tcp - HTTPS
Default Node Firewall
Below is the default firewall that is created on installation. This includes the following rules.
22/tcp - SSH
80/tcp - HTTP
443/tcp - HTTPS
4789/udp - VXLAN cross-node
20000-25000/tcp - VNC cross-node
30000-32767/tcp - TCP NodePorts
30000-32767/udp - UDP NodePorts
Last updated