Vultr offers a cloud-based firewall solution that you can deploy to protect one or more cloud servers. Having cloud firewalls in place for your servers is an important security measure that prevents unnecessary exposure of application services to the internet. Vultr Firewall has features comparable to server operating system firewalls, with several key differences.
Vultr Firewall packet filtering happens before the traffic reaches the protected server, reducing your server's resource usage. Also, you manage the firewall through the customer portal instead of the operating system. Finally, updating the firewall policy for multiple servers is quick and convenient because you can attach multiple servers to a single Vultr Firewall group.
The diagram below illustrates the interaction between the Vultr firewall and the OS firewall, which can be used together. The three servers shown are linked to a single Vultr firewall, and each have their own respective OS firewalls. As an internet user attempts to connect to these servers at three different ports, the results are:
HTTP traffic in connection attempt 1 succeeds. Both the Vultr Firewall and the OS firewall are configured to pass HTTP.
SSH traffic in connection attempt 2 fails. The traffic passes successfully through the Vultr firewall, but is blocked by the OS firewall.
MySQL traffic in connection attempt 3 fails. The OS firewall is configured to pass MySQL traffic, but the traffic is blocked by the Vultr firewall which only allows HTTP and SSH.
Click Firewall on your Vultr control panel.
Click the pencil icon to edit the firewall group.
Selecting the Cloudflare source will allow traffic from this list of Cloudflare IP addresses.
Click Linked Instances to view the linked servers.
Click the Unlink Instance icon to remove the server from the firewall group.
A Vultr cloud server can belong to one firewall group at a time.
View a server's Vultr firewall assignment.
Select the server from your Vultr control panel.
Click Firewall on the left menu.
Click the Firewall dropdown to modify the server firewall group assignment.
The Vultr API offers several endpoints to manage the Vultr Firewall.
Get information for a firewall group.
Get the rules for a firewall group.
Get a list of all firewall groups.
Create a new firewall group.
Update information for a firewall group.
Delete a firewall group.
No. Established connections are left intact. When you change a rule in a firewall group, changes will only be applied to new connections.
Vultr Firewall is comparable to most firewall programs bundled in with server operating systems. However, Vultr Firewall has several key differences.
Packet filtering takes place at a higher level on the network, reducing resource usage of your server.
The firewall is managed through the Vultr control panel.
Updating the firewall policy for multiple servers is quick and convenient because Vultr Firewall groups can be applied to multiple servers.
Vultr Firewall can be used on both new and existing servers.
First, you'll need to log into the members area and create a firewall group. After creating the group, you may add any desired rules to it.
To apply a firewall group to a new server, choose the firewall group you've created on the deploy form.
To apply a firewall group to an existing server, click on the server in the members area. Then access the sub menu "Settings", "Firewall". You will see a list of your firewall groups on the tab shown. Choose the desired firewall group, then click "Update Firewall Group".
No. Vultr Firewall is not available for Bare Metal servers.
Yes, you can use the same firewall group on any number of servers.
Changes to a Vultr Firewall group will take place in 2 minutes or less.
Vultr Firewall groups require at least one rule to become active. An empty ruleset will not block all traffic when applied to a server.
After an inbound rule has been added to the ruleset, all other packets are dropped by default. To allow inbound traffic to additional ports, you must create additional firewall rules.
The Vultr Firewall is stateful - if you initiate a connection from your instance, response traffic is accepted without requiring an explicit inbound rule. You do not have to setup separate rules for ephemeral ports.
Yes, you can use Vultr Firewall to filter both IPv4 and IPv6 traffic.
The Vultr Firewall is designed to enhance the security of your instance. It's not designed to block the large volumes of traffic that can happen during a DDOS attack.
A firewall can help in certain smaller attacks, but your server may still be null routed if you are hit with a large attack. We would suggest purchasing DDOS protection if attacks are a problem for you.
Vultr Firewall will drop all traffic on ICMP, TCP, UDP, and GRE protocols, except for traffic that matches rules that have been added to it. If this is acceptable, then Vultr Firewall is enough. OS firewalls allow finer rule customization, such as ICMP message handling. If your use case requires this type of customization, you would still need to use the OS firewall in addition to Vultr Firewall.
No. Only traffic from public interfaces gets filtered through Vultr Firewall. No filtering happens on VPC networks.
Yes. Vultr firewall will filter all traffic related to your instance, including IP space announced using the BGP feature.