Documentation & Tutorials

How to Activate a Stateful Cloud Firewall

Firewall and Security Groups Overview

A firewall controls incoming and outcoming traffic based on predefined security rules. Typically it establishes a barrier between a trusted (internal) network and untrusted external network, like the Internet.

At Scaleway, you have the possibility to use security groups. Security groups enable to create rules that either drops or allows incoming traffic from certain ports of your server.

Security Groups are stateful by default which means return traffic is automatically allowed, regardless of any rules. As a contrary, you have to switch in a stateless mode to define explicitly allowed.

You can either create a security group from the Scaleway console or directly with the Scaleway API.

For more information, you can refer to our Network FAQ.


Creating a Security Group via the Scaleway Console

1 . Once logged on the Scaleway console, click Security in the left menu.

2 . Click Create a Group.

3 . Select a location, either Amsterdam or Paris. Note that security groups cannot be transferred one region to another.

4 . Enter a Name, a Description, and tick Yes to Stateful Groups.

5 . Once all the fields are complete, you can click Create security group.


The security group is added to your security group list.

Configuring a Security Group via the Scaleway Console

Important: If you create a stateful security group, it cannot be attached to a BareMetal server. In addition, if you already have a stateless security group attached to a BareMetal server, you will get an error while trying to switch that security group to stateful.

1 . On you Server Dashboard, select the running server on which you want to apply the security group.

2 . Once the server details are displayed, scroll down to Advanced and click Show. Advanced configurations are listed.

3 . On the Security Group field, click Change to select the correct security group created previously.


4 . Once you selected the security group, validate your choice.


A pop-up informs you that the Security group has been updated.

5 . Click on View to edit the security group rules. A Group Rules displays.

  • ORGANIZATION DEFAULT: refers to the security group applied by default.
  • BLOCK SMTP: whether you want to allow or not SMTP. We recommend blocking SMTP outbound traffic to avoid mail spamming.
  • STATEFUL GROUP: whether you want your security rules to be stateful or not.
  • INBOUND DEFAULT POLICY: whether you want to allow or not all incoming traffic to your server. We recommend blocking incoming traffic by default to prevent intrusions.
  • OUTBOUND DEFAULT POLICY: whether you want to allow or not all outgoing traffic from your server.

To create a new rule, select the rule configuration and click Add. The Reset button allows you to clear all the fields and enter a new configuration.


In the example below, we configured the security group to:

  • Allow SSH access. As a security measure, we strongly recommend choosing a different port for SSH access.
  • Allow HTTP access
  • Allow HTTPS access

Rules are applied according to their position. Thus, rule 1 (SSH access) will be applied first and so on. To delete a rule, click on the bin icon.


Rules are saved automatically. To go back to your server details, click on your server name.

Creating a Security Group via the Scaleway API

1 . Generate a token from your Scaleway console, if you do not have one yet.

2 . Define a SCW_TOKEN variable from your token id

export SCW_TOKEN='token_uuid'

3 . Retrieve your organization ID through the API. Replace the X-Auth-Token value with your generated token.

% curl -H "X-Auth-Token: fa633f07-c2e9-4f06-b651-011d5330e58f"

  "organizations": [
->    "id": "000a115d-2852-4b0a-9ce8-47f1134ba95a",
      "name": "jsnow@got.wint",
      "users": [

In the above example, the organization ID is 000a115d-2852-4b0a-9ce8-47f1134ba95a.

4 . Depending on your instance location, you can use the base URL or

5 . Retrieve your security group.

curl '' -H "x-auth-token: $SCW_TOKEN" | jq

6 . Create a new security group

curl '' -H "x-auth-token: $SCW_TOKEN" -H 'Content-Type: application/json;charset=utf-8' --data '{"organization":"717ff161-41a6-4458-b4f8-e6d07d7d9562","name":"New group","description":"new"}' | jq

7 . Set the stateful option on the security group

curl '' -X PUT -H "x-auth-token: $SCW_TOKEN" -H 'Content-Type: application/json;charset=utf-8' --data '{"stateful":true}' | jq

8 . Set inbound default policy to drop

curl '' -X PUT -H "x-auth-token: $SCW_TOKEN" -H 'Content-Type: application/json;charset=utf-8' --data '{"inbound_default_policy":"drop"}' | jq

9 . Set outbound default policy to drop

curl '' -X PUT -H "x-auth-token: $SCW_TOKEN" -H 'Content-Type: application/json;charset=utf-8' --data '{"outbound_default_policy":"drop"}' | jq

10 . Set outbound default policy to accept

curl '' -X PUT -H "x-auth-token: $SCW_TOKEN" -H 'Content-Type: application/json;charset=utf-8' --data '{"outbound_default_policy":"accept"}' | jq

Discover a New Cloud Experience

Deploy SSD Cloud Servers in seconds.