Back to overview

You can now create firewalls and control exactly which traffic is allowed to reach and leave your Seeds. As soon as a firewall is attached to a Seed, only connections you have explicitly allowed via a rule are permitted - everything else is blocked.

The firewall allows TCP 443 and TCP 22 and blocks UDP 53 and ICMP.
The firewall allows TCP 443 and TCP 22 and blocks UDP 53 and ICMP.

What is a firewall?

A firewall is a protective layer in front of your server. It inspects every connection that tries to reach your Seed or that originates from it, and only lets through what you have previously allowed.

Important to understand: Without a firewall, a Seed is reachable on all ports and can communicate freely with the internet. As soon as you attach a firewall to a Seed, only the traffic you allow via rules is permitted. Inside a connected firewall the rule of thumb is therefore: whatever is not explicitly allowed is blocked. This way, a database can stay unreachable from outside while your website remains publicly available.

Inbound and outbound rules

Each firewall consists of two rule sets. Inbound rules define who is allowed to reach your Seed, for example visitors of your website or your own SSH access. Outbound rules define where your Seed itself is allowed to establish connections. Firewalls are stateful: when an inbound connection is allowed, its response traffic may leave regardless of outbound rules.

A rule is defined by a few inputs:

  • Protocol - TCP, UDP or ICMP
  • Port - a single port like 443 or a range like 8000:8100
  • Sources or destinations - individual IP addresses or whole ranges in CIDR notation (such as 10.0.0.0/8), the All IPv4 or All IPv6 selection, or a reference to another Seed

For quick setup, predefined templates are available, for example for SSH, Ping or all outgoing traffic.

Attach to Seeds and Tags

A firewall only takes effect once you attach it to a resource. You can attach it directly to individual Seeds or via a Tag to all Seeds that carry that Tag. The latter is especially handy: as soon as a new Seed receives the production Tag, it automatically inherits the associated rules - no manual attachment required.

The current state is always visible in the firewall status: Active, Applying or Error.

Control via the Public API

Firewalls can be managed end-to-end through our Public API, from defining rules to attaching them to Seeds and Tags. This lets you integrate your network security seamlessly into automations and your own tooling.

Good to know

  • You can find firewalls in the console under Network → Firewalls.
  • Rules and attached resources can be adjusted at any time after creation.
  • Each team can create up to 10 firewalls by default

We look forward to your feedback and are available for any questions as usual.

Our cloud newsletter

Stay up to date and get valuable tips by subscribing to our newsletter.

Any questions?

Our experts are happy to help. You'll be surprised how fast we are.

Visit FAQsContact an expert
Background image