The firewall feature of BizCloud platform is at the network perimeter level, protecting your server’s primary network.
There is a built-in Default Firewall Rule Group with the following rules:
a) Inbound: allow SSH (TCP port 22) traffic from allb) Inbound: allow RDP (TCP port 3389) traffic from all
c) Inbound: deny all traffic
d) Outbound: allow all ICMP traffic to all
e) Outbound: allow all UDP traffic to all
f) Outbound: allow all TCP traffic to all
g) Outbound: deny all traffic
When a cloud server is provisioned, it is automatically placed inside this built-in Default Firewall Rule Group. To allow for other traffic to reach your server, you would add the server into your own firewall rule group with its own firewall rules.
Each firewall rule consists of:
- Destination port to be allowed. This is the service traffic to be allowed in TCP or UDP port or port range.
- Source IP address or range i.e. the party initiating the connection.
You cannot control the Destination IP address or the Source port(s) of the firewall rule. As such, to simplify management, you would typically place servers with same firewall protection requirement into the same firewall rule group. You can only place a server into one firewall rule group only.
Each firewall rule group has built-in deny all traffic rule for Inbound and Outbound traffic. You add firewall rules to a group to allow specific traffics to flow through and reach your server as desired.
Example, if you have two web servers and two database servers, you may create two firewall rule groups with one group cater for web servers and another group cater to database servers.
Manage firewall
To manage firewall rule group and firewall rules, click on Services. On the left-hand side menu option, click on “MANAGE FIREWALL”.
You would see the following
Creating a new firewall rule group
Create firewall rule group” to create a new one. Give it an appropriate group name.
Add rules into a firewall rule group
Click on the newly created firewall rule group on the listing to go in and edit its rules.
A new firewall rule group has the following rules created for you, besides two built-in deny all traffic rules:
Inbound: no rule i.e. all traffic will be blocked
Outbound: allow ICMP
Outbound: allow all UDP ports
Outbound: allow all TCP ports
To add a new inbound rule, click on “New Rule” and select from the predefined choices or Custom for specifying your own port or port range.
When selecting Custom, you set the desired protocol (TCP or UDP) and port number or port range.
Fill in the allowed Source IP address or range as needed and then save the rule.
Valid choices and format of the Source IP address specification are:
- To specify all, use “any” or “all”
- One specific IP, enter the IP address like 192.168.0.1
- Multiple IPs, enter IP addresses separate by comma and without any space e.g. 10.0.0.1,192.168.0.1
- An IP range e.g. 10.0.0.1-10.0.0.99
Create multiple rules as need.
Add a server into a firewall rule group
To move a cloud server into a firewall rule group, select “Manage Instances” for that firewall rule group.
Select a server from the list and click “Add”.
After adding, you would see the server appear the listing under the firewall rule group.
When a server is removed from a firewall rule group, it is automatically placed into the Default Firewall Rule Group. You should immediately add the affected server back into your own firewall rule group if you do not wish the administration access (SSH or RDP) to be exposed to Internet.