VPC Firewall Rules Overview
VPC Firewall Rules allow developers to granularly control access to VPC networks, subnets, and individual VMs.
Concepts
VPC Firewall Rules rely on a five-tuple to filter L3 traffic and determine if it is allowed to pass:
- Action: what action to take for categories of traffic,
allow
ordeny
- Direction: what direction traffic is heading, relative to the VM,
ingress
is "outside world to the VM" andegress
is "VM to the outside world" - Protocols: what protocols are filtered,
tcp
,udp
, oricmp
- Source: the IP(s) and port(s) that traffic is "coming from" (the "outside world" in an
ingress
rule; the VM in anegress
rule) - Destination: the IP(s) and port(s) that traffic is "heading to" (the VM in an
ingress
rule or the "outside world" in anegress
rule). Currently for ingress rules, you must specify the private IP address of a destination VM (as opposed to the public IP).
By default, all traffic is denied unless a rule explicitly allows it.
Default Firewall Rules
Crusoe provides the following default firewall rules in the default VPC network.
Ingress:
default-allow-ssh
: allow SSH access from the public internet to all instancesdefault-allow-icmp-internal
: allow ICMP traffic from all VMs on the same network; note this does not allow public ICMP trafficdefault-allow-internal-network
: allow all TCP and UDP traffic from all VMs on the same network
Egress:
default-allow-icmp-egress
: allow all ICMP traffic from all VMs on the network to egress to the public internetdefault-allow-tcp-udp-egress
: allow all TCP and UDP traffic from all VMs on the network to egress to the public internet
If you do not want to allow this traffic, you can delete one or all of these rules.
Firewall Rules in non-default VPCs
Non-default (custom) VPC networks are not created with any default firewall rules. Firewall rules implicitly deny traffic unless a rule explicitly allows the traffic to pass, so all communication to/from non-default VPC network will be denied until firewall rules are added to allow desired traffic.
In order to allow ingress and egress communication for non-default VPC, explicit firewall rules have to be configured for ingress/egress. We recommend starting with the default firewall rules above, and modifying them as desired.
Limitations
Mixing protocols
At the current time, you can only create tcp
and/or udp
, or icmp
rules. You cannot create a mix of tcp
or udp
with icmp
. Similarly, you cannot add ports
to an icmp
rule.
Allow only/implicit deny
At the current time, firewall rules only support allow
rules. By default, all traffic is denied unless it is specifically allowed. We do not currently have plans to support deny
rules.
Port restrictions
For security and anti-spam reasons, by default, Crusoe does not permit outbound SMTP traffic on TCP ports 25, 465, or 2525.
For sending outbound email from machines, we recommend using SMTP Submission on TCP port 587 or using an email service provider that provides an API over HTTPS.
Destination IPs for ingress rules
When allowing ingress traffic to VMs, the firewall rule's destination IP(s) must reference the private IP(s) of a VM.
Trobuleshooting Firewall Rules
The following reminders may help if you are troubleshooting firewall rules:
- Source ports may not be the same as the destination ports (e.g. SSH may not come from port 22, but it will arrive at port 22)