Vultr Firewall

Updated on December 8, 2022
Vultr Firewall header image

Vultr offers a cloud-based firewall solution that you can deploy to protect one or more cloud servers. Having cloud firewalls in place for your servers is an important security measure that prevents unnecessary exposure of application services to the internet. Vultr Firewall has features comparable to server operating system firewalls, with several key differences.

Vultr Firewall packet filtering happens before the traffic reaches the protected server, reducing your server's resource usage. Also, you manage the firewall through the customer portal instead of the operating system. Finally, updating the firewall policy for multiple servers is quick and convenient because you can attach multiple servers to a single Vultr Firewall group.

Example

The diagram below illustrates the interaction between the Vultr firewall and the OS firewall, which can be used together. The three servers shown are linked to a single Vultr firewall, and each have their own respective OS firewalls. As an internet user attempts to connect to these servers at three different ports, the results are:

  • HTTP traffic in connection attempt 1 succeeds. Both the Vultr Firewall and the OS firewall are configured to pass HTTP.
  • SSH traffic in connection attempt 2 fails. The traffic passes successfully through the Vultr firewall, but is blocked by the OS firewall.
  • MySQL traffic in connection attempt 3 fails. The OS firewall is configured to pass MySQL traffic, but the traffic is blocked by the Vultr firewall which only allows HTTP and SSH.

Firewall connection example

How to Manage Firewall Rules

  • Click Firewall on your Vultr control panel.
  • Click the pencil icon to edit the firewall group.

Vultr dashboard example 1

Cloudflare

Selecting the Cloudflare source will allow traffic from this list of Cloudflare IP addresses.

Screenshot of Firewall Rules highlighting Cloudflare

  • Click Linked Instances to view the linked servers.
  • Click the Unlink Instance icon to remove the server from the firewall group.

Vultr dashboard example 2

A Vultr cloud server can belong to one firewall group at a time.

Server Firewall Assignment

View a server's Vultr firewall assignment.

  • Select the server from your Vultr control panel.
  • Click Firewall on the left menu.
  • Click the Firewall dropdown to modify the server firewall group assignment.

Vultr dashboard example 3

API Access

The Vultr API offers several endpoints to manage the Vultr Firewall.

Firewall groups

Firewall rules

  • Get a firewall rule.
  • Create a rule for a firewall group.
  • Delete a firewall rule.

Frequently Asked Questions

Will changes to my Vultr Firewall interrupt existing traffic?

No. Established connections are left intact. When you change a rule in a firewall group, changes will only be applied to new connections.

How does Vultr Firewall differ from my operating systems' firewall?

Vultr Firewall is comparable to most firewall programs bundled in with server operating systems. However, Vultr Firewall has several key differences.

  • Packet filtering takes place at a higher level on the network, reducing resource usage of your server.
  • The firewall is managed through the Vultr control panel.
  • Updating the firewall policy for multiple servers is quick and convenient because Vultr Firewall groups can be applied to multiple servers.

How do I use Vultr Firewall on my server?

Vultr Firewall can be used on both new and existing servers.

First, you'll need to log into the members area and create a firewall group. After creating the group, you may add any desired rules to it.

To apply a firewall group to a new server, choose the firewall group you've created on the deploy form.

To apply a firewall group to an existing server, click on the server in the members area. Then access the sub menu "Settings", "Firewall". You will see a list of your firewall groups on the tab shown. Choose the desired firewall group, then click "Update Firewall Group".

Does the Vultr Firewall support Bare Metal servers?

No. Vultr Firewall is not available for Bare Metal servers.

Can I apply the same firewall group to more than one server?

Yes, you can use the same firewall group on any number of servers.

How quickly do firewall changes take effect?

Changes to a Vultr Firewall group will take place in 2 minutes or less.

What is the default policy of Vultr Firewall?

Vultr Firewall groups require at least one rule to become active. An empty ruleset will not block all traffic when applied to a server.

After an inbound rule has been added to the ruleset, all other packets are dropped by default. To allow inbound traffic to additional ports, you must create additional firewall rules.

Is the Vultr Firewall stateful or stateless?

The Vultr Firewall is stateful - if you initiate a connection from your instance, response traffic is accepted without requiring an explicit inbound rule. You do not have to setup separate rules for ephemeral ports.

Is IPv6 supported?

Yes, you can use Vultr Firewall to filter both IPv4 and IPv6 traffic.

Is the Vultr Firewall a replacement for DDOS protection?

The Vultr Firewall is designed to enhance the security of your instance. It's not designed to block the large volumes of traffic that can happen during a DDOS attack.

Will Vultr Firewall protect me from a DDOS attack?

A firewall can help in certain smaller attacks, but your server may still be null routed if you are hit with a large attack. We would suggest purchasing DDOS protection if attacks are a problem for you.

Can the firewall on my instance be disabled? Is Vultr Firewall enough?

Vultr Firewall will drop all traffic on ICMP, TCP, UDP, and GRE protocols, except for traffic that matches rules that have been added to it. If this is acceptable, then Vultr Firewall is enough. OS firewalls allow finer rule customization, such as ICMP message handling. If your use case requires this type of customization, you would still need to use the OS firewall in addition to Vultr Firewall.

Does Vultr Firewall affect private (VPC) networking?

No. Only traffic from public interfaces gets filtered through Vultr Firewall. No filtering happens on VPC networks.

Does Vultr Firewall affect BGP networking?

Yes. Vultr firewall will filter all traffic related to your instance, including IP space announced using the BGP feature.