Skip to main content

VPC Firewall Rules Overview

VPC Firewall Rules allow developers to granularly control access to VPC networks, subnets, and individual VMs.

Concepts

VPC Firewall Rules rely on a five-tuple to filter L3 traffic and determine if it is allowed to pass:

  • Action: what action to take for categories of traffic, allow or deny
  • Direction: what direction traffic is heading, relative to the VM, ingress is "outside world to the VM" and egress is "VM to the outside world"
  • Protocols: what protocols are filtered, tcp, udp, or icmp
  • Source: the IP(s) and port(s) that traffic is "coming from" (the "outside world" in an ingress rule; the VM in an egress rule)
  • Destination: the IP(s) and port(s) that traffic is "heading to" (the VM in an ingress rule or the "outside world" in an egress rule). Currently for ingress rules, you must specify the private IP address of a destination VM (as opposed to the public IP).

By default, all traffic is denied unless a rule explicitly allows it.

Default Firewall Rules

Crusoe provides the following default firewall rules in the default VPC network.

Ingress:

  • default-allow-ssh: allow SSH access from the public internet to all instances
  • default-allow-icmp-internal: allow ICMP traffic from all VMs on the same network; note this does not allow public ICMP traffic
  • default-allow-internal-network: allow all TCP and UDP traffic from all VMs on the same network

Egress:

  • default-allow-icmp-egress: allow all ICMP traffic from all VMs on the network to egress to the public internet
  • default-allow-tcp-udp-egress: allow all TCP and UDP traffic from all VMs on the network to egress to the public internet

If you do not want to allow this traffic, you can delete one or all of these rules.

Firewall Rules in non-default VPCs

Non-default (custom) VPC networks are not created with any default firewall rules. Firewall rules implicitly deny traffic unless a rule explicitly allows the traffic to pass, so all communication to/from non-default VPC network will be denied until firewall rules are added to allow desired traffic.

In order to allow ingress and egress communication for non-default VPC, explicit firewall rules have to be configured for ingress/egress. We recommend starting with the default firewall rules above, and modifying them as desired.

Limitations

Mixing protocols

At the current time, you can only create tcp and/or udp, or icmp rules. You cannot create a mix of tcp or udp with icmp. Similarly, you cannot add ports to an icmp rule.

Allow only/implicit deny

At the current time, firewall rules only support allow rules. By default, all traffic is denied unless it is specifically allowed. We do not currently have plans to support deny rules.

Port restrictions

For security and anti-spam reasons, by default, Crusoe does not permit outbound SMTP traffic on TCP ports 25, 465, or 2525.

For sending outbound email from machines, we recommend using SMTP Submission on TCP port 587 or using an email service provider that provides an API over HTTPS.

Destination IPs for ingress rules

When allowing ingress traffic to VMs, the firewall rule's destination IP(s) must reference the private IP(s) of a VM.

Trobuleshooting Firewall Rules

The following reminders may help if you are troubleshooting firewall rules:

  • Source ports may not be the same as the destination ports (e.g. SSH may not come from port 22, but it will arrive at port 22)