Skip to main content

Firewall rules

Overview

Firewall rules are configured per virtual network. You add, edit, delete, and reorder rules on each virtual network's detail page. Rules are evaluated top to bottom, and the first matching rule applies. Changes take effect within at most one minute.

Default behavior is "allow all"

With no rules configured, all traffic passes. To restrict external access, add explicit allow rules and finish with a catch-all deny (ALL 0.0.0.0/0 → 0.0.0.0/0 DROP).

Prerequisites
  • A virtual network must already exist (Virtual network)
  • Resource.VirtualNetwork.UPDATE permission (firewall rules are updated as the virtual network's firewall_rules field)

Rule components

ComponentDescriptionExample
ProtocolCommunication protocolALL / TCP / UDP / ICMP
SourceSource IPv4 address or CIDR192.168.1.0/24, 0.0.0.0/0
DestinationDestination IPv4 address or CIDR10.0.0.0/8, 172.16.0.1
Port / End portTCP/UDP only; single port or range80 or 10002000
ActionHow to treat matching trafficACCEPT (allow) / DROP (block)
DescriptionRule note (up to 256 characters)Allow web server access
Ports only apply to TCP/UDP

If the protocol is ALL or ICMP, the port fields are disabled.

Adding a rule

  1. Open the target virtual network from Network > Virtual Networks.
  2. Scroll to Firewall rules on the detail page.
  3. Click Add rule (if there are no rules yet, the button is Add first rule).
  4. Fill in the components above and save.

Editing and deleting

In the menu on each rule row:

  • Edit: change fields and save
  • Delete: removed immediately after the confirmation dialog

Reordering rules

Because rules are evaluated top to bottom, order is critical.

  1. Click Reorder.
  2. Use the ↑ / ↓ buttons that appear on each rule to move it.
  3. Click Done to save (or Cancel to discard).

Common rules

UseProtocolSourceDestinationPortAction
External SSH (restrict)TCP<admin-IP>/32<VM-CIDR>22ACCEPT
Public HTTPTCP0.0.0.0/0<VM-CIDR>80ACCEPT
Public HTTPSTCP0.0.0.0/0<VM-CIDR>443ACCEPT
Jupyter NotebookTCP<office-IP>/24<VM-CIDR>8888ACCEPT
Ping (diagnostics)ICMP<office-IP>/24<VM-CIDR>ACCEPT
Explicit deny (last)ALL0.0.0.0/00.0.0.0/0DROP
Narrow the SSH source IP

Opening port 22 to 0.0.0.0/0 invites brute-force attacks. Limit it to your own IP, your office IP, or your VPN range.

Ordering principles

1. Specific allow rules (specific IPs / ports)
2. General allow rules (subnets / standard service ports)
3. Specific deny rules (specific risky IPs)
4. Catch-all deny (last)

Example 1: Access control for a web server (10.0.0.100)

#ProtocolSourceDestinationPortActionDescription
1TCP192.168.1.0/2410.0.0.10022ACCEPTInternal SSH
2TCP0.0.0.0/010.0.0.10080ACCEPTPublic HTTP
3TCP0.0.0.0/010.0.0.100443ACCEPTPublic HTTPS
4ALL0.0.0.0/010.0.0.100DROPBlock everything else

Example 2: DB server (10.0.0.200) — accessible only from the web server

#ProtocolSourceDestinationPortActionDescription
1TCP192.168.1.0/2410.0.0.20022ACCEPTAdmin SSH
2TCP10.0.0.10010.0.0.2003306ACCEPTWeb → DB
3ALL0.0.0.0/010.0.0.200DROPBlock everything else

Example 3: Dev environment — accessible only from the dev team's IP range

#ProtocolSourceDestinationPortActionDescription
1TCP203.0.113.0/2410.0.1.0/2422ACCEPTDev team SSH
2TCP203.0.113.0/2410.0.1.0/2480-8080ACCEPTDev web services
3ALL0.0.0.0/010.0.1.0/24DROPBlock everything else

FAQ

I added a rule but traffic is still blocked.

  • Check whether a broader DROP rule sits above it. Only the first matching rule applies.
  • Verify the source/destination CIDR and port are correct, and host bits are zero (e.g. 192.168.1.100/24192.168.1.0/24).
  • Changes take up to one minute to take effect — wait a moment and retry.

All traffic is blocked and I can't reach my VM.

From the virtual network page, temporarily add ALL 0.0.0.0/0 → 0.0.0.0/0 ACCEPT at the very top to get back in, then clean up the rules and remove the temporary one.

Port ranges aren't working.

  • The protocol must be TCP or UDP (ALL/ICMP don't support ports).
  • Make sure start port ≤ end port and both are in 1–65535.

Next steps