Firewall rules
Firewall rules control inbound traffic from the internet to a VM's public NIC — both its IPv4 (if assigned) and its IPv6. Default posture is deny: only the seeded SSH rule lets traffic in until you add more. Rules attach to a single VM and compose additively.
Model
- Scope — each rule targets one VM. Manage them under VM detail → Firewall.
- Inbound only — the firewall gates traffic into the VM. Outbound is unrestricted, and VM-to-VM traffic is governed by security groups, not here.
- Ports — one rule can list multiple ports or port ranges across TCP and UDP.
- Sources — CIDRs allowed to reach those ports. Accepts IPv4 (
203.0.113.0/24) and IPv6 (2001:db8::/32). Empty = allow from anywhere. - Additive — multiple rules on the same VM compose. There is no rule ordering; the union of allows wins.
The seeded SSH rule
When a VM is created with a public NIC, one default-allow rule is seeded so you can reach it. It shows with a default badge in the Firewall tab.
| Port | Protocol | Source |
|---|---|---|
| 22 | TCP | anywhere (v4 + v6) |
Need HTTP/HTTPS or anything else? Add it explicitly — only SSH is seeded. The SSH default can also be deleted once you've added a narrower replacement to lock port 22 down to your office or VPN.
Open a port
VM detail → Firewall → Add rule.
Pick the port (or range), pick the protocol (TCP / UDP), set the
source CIDR (defaults to 0.0.0.0/0), give it a display
name, save. The rule takes effect within a few seconds.
Port ranges
To open a contiguous range, set the Port field to the lower
bound and the End port field to the upper bound. Useful for
Kubernetes NodePort services (typically
30000-32767), RTMP/SIP, or anything that listens on a
window of ports.
Lock SSH down to your IP
The default SSH rule is wide open. To replace it:
- Find the default rule on port 22 in the Firewall tab — it carries a default badge.
- Delete it.
- Click Add rule. Port 22, TCP, source
YOUR.IP/32, display name "ssh from office", save.
List and delete
The Firewall tab lists every rule on the VM with its ports, sources, and a delete button per row. Default rules show a stronger delete confirmation than custom rules.
Outbound & VM-to-VM
The firewall is inbound-only. Outbound traffic from the VM to the internet is unrestricted. To control traffic between your VMs on the private network — including restricting what a VM may reach — use security groups, which support both ingress and egress rules on the private NIC.
What's next
- Security groups — east-west (VM-to-VM) policy.
- Public IPv4 & Public IPv6 — how the public NIC is addressed.
- Create a VM — full create flow.