Author: David FinsterLast Updated: Tue, May 11, 2021
The Vultr Firewall is a web-based firewall to protect your cloud servers. The Vultr Load Balancer is a fully-managed solution to distribute traffic across multiple back-end servers. In this guide, you'll learn how to use them together. You'll distribute web traffic with a Load Balancer while protecting the web servers with the Vultr Firewall. If you are new to Vultr Load Balancers, we recommend reading the Load Balancer Quickstart Guide first. You can also learn more in our Vultr Firewall Quickstart Guide.
In this guide, you'll configure the Vultr Firewall to accept traffic from a Vultr Load Balancer, as shown below.
When configured this way, the Vultr Firewall only accepts traffic from the Load Balancer, preventing direct connections to the web servers if users try to bypass the load balancer. Here's a step-by-step guide to creating a secure, load-balanced web cluster behind the Vultr Firewall.
Deploy three web servers in a single location.
Navigate to the Load Balancers section of the Vultr Customer Portal.
In Load Balancer Configuration, enter a label and leave the other options at default.
Leave the default Forwarding Rule for HTTP at port 80.
Do not add any Firewall Rules. The firewall rules in this section are for the Load Balancer Firewall, which is different than the Vultr Firewall. See our article How to Use the Vultr Load Balancer Firewall to learn more.
Choose HTTP and Port 80 for Health Checks.
Click Add Load Balancer.
Wait for the Load Balancer to deploy.
Note the URL of this page. The Load Balancer ID is at the end of the query string.
For example, if your URL is:
Then, your Load Balancer ID is
11111111-0000-ffff-2222-333444555666. Note this value. You'll need it when configuring the Vutr Firewall.
Add your instances: Click Add Instance.
Add an inbound IPv4 Rule that accepts HTTP from the Load Balancer source, indicated by
1 in the screenshot below. Enter the Load Balancer ID you noted earlier, indicated by
Click Linked Instances on the left menu.
Link each of the three instances to the firewall group.
By linking the Firewall HTTP rule to the Load Balancer source, you've prevented direct access to the web servers. All HTTP traffic to the web servers must travel through the Load Balancer.
You may want to add more rules to the Vultr Firewall to allow HTTPS for a production environment. You may also want to allow SSH with your IP address as the source.
In this article, you've explored the Vultr Firewall. Load Balancers also have their own internal firewall rules, and you can combine these for an advanced configuration as shown below.
In this example, the Load Balancer Firewall accepts traffic from Cloudflare IPs, while the Vultr Firewall accepts traffic from the Load Balancer. All other traffic to the web servers is denied.
You can learn more about the Load Balancer Firewall in our article, How to Use the Vultr Load Balancer Firewall.