How to Activate a Stateful Cloud Firewall

Firewall and Security Groups Overview

A firewall controls incoming and outcoming traffic based on predefined security rules. Typically it establishes a barrier between a trusted (internal) network and untrusted external network, like the Internet.

At Scaleway, you have the possibility to use security groups. Security groups enable to create rules that either drops or allows incoming traffic from certain ports of your server.

Security Groups are stateful by default which means return traffic is automatically allowed, regardless of any rules. As a contrary, you have to switch in a stateless mode to define explicitly allowed.

You can either create a security group from the Scaleway console or directly with the Scaleway API.

For more information, you can refer to our Network FAQ.

Requirements:

• You have an account and are logged into console.scaleway.com
• You have configured your SSH Key

Creating a Security Group via the Scaleway Console

1 . In the Compute tab, click Security Group.

2 . In the Security Group tab, hover over the + which displays a Create a security group.

The Create a New Security Group opens. Enter all the required information.

3 . Choose:

• a Name
• a Description
• a region. Note that security groups cannot be transferred from one region to another.
• a valid security group configuration
• a server to apply the security group to

4 . Click Create a new security group The security group is added to your security group list.

Configuring a Security Group via the Scaleway Console

Important: If you create a stateful security group, it cannot be attached to a BareMetal server. In addition, if you already have a stateless security group attached to a BareMetal server, you will get an error while trying to switch that security group to stateful.

When creating a new security group, you can configure multiple rules to secure your server.

• INBOUND DEFAULT POLICY: whether you want to allow or not all incoming traffic to your server. We recommend blocking incoming traffic by default to prevent intrusions.
• OUTBOUND DEFAULT POLICY: whether you want to allow or not all outgoing traffic from your server.
• Enable SMTP: whether you want to allow or not SMTP. We recommend blocking SMTP outbound traffic to avoid mail spamming.

In the example above, we configured the security group to:

• Allow SSH access. As a security measure, we strongly recommend choosing a different port for SSH access.
• Allow HTTP access

Rules are applied according to their position. Thus, rule 1 (SSH access) will be applied first and so on. To delete a rule, click on the X icon.

Once create, the security group is added to the security group list.

Editing a Security Group via the Scaleway Console

1 . In the Security Group tab, click on the security group you want to edit or use the dropdown menu on the right … > More info.

All the details regarding your security group is displayed here.

In the Overview section, you can:

• Set as Organization default (refers to the security group applied by default)
• Enable SMTP

In the Servers section, you can:

• Add a new server to the security group
• Unlink a server to the security group

In the Rules section, you can:

• Update your inbound and outbound rules.

Creating a Security Group via the Scaleway API

1 . Generate a token from your Scaleway console, if you do not have one yet.

2 . Define a SCW_TOKEN variable from your token id

export SCW_TOKEN='token_uuid'

3 . Retrieve your organization ID through the API. Replace the X-Auth-Token value with your generated token.

% curl https://account.scaleway.com/organizations -H "X-Auth-Token: fa633f07-c2e9-4f06-b651-011d5330e58f"

{
  "organizations": [
    {
->    "id": "000a115d-2852-4b0a-9ce8-47f1134ba95a",
      "name": "jsnow@got.wint",
      "users": [
        {
          ...
        }
      ]
    }
  ]
}

In the above example, the organization ID is 000a115d-2852-4b0a-9ce8-47f1134ba95a.

4 . Depending on your instance location, you can use the base URL https://cp-par1.scaleway.com or https://cp-ams1.scaleway.com

5 . Retrieve your security group.

curl 'https://api.scaleway.com/instance/v1/zones/fr-par-1/security_groups' -H "x-auth-token: $SCW_TOKEN" | jq

6 . Create a new security group

curl 'https://api.scaleway.com/instance/v1/zones/fr-par-1/security_groups' -H "x-auth-token: $SCW_TOKEN" -H 'Content-Type: application/json;charset=utf-8' --data '{"organization":"717ff161-41a6-4458-b4f8-e6d07d7d9562","name":"New group","description":"new"}' | jq

7 . Set the stateful option on the security group

curl 'https://api.scaleway.com/instance/v1/zones/fr-par-1/security_groups/2d9674a0-15f2-496e-a296-b16c98ba88ee' -X PUT -H "x-auth-token: $SCW_TOKEN" -H 'Content-Type: application/json;charset=utf-8' --data '{"stateful":true}' | jq

8 . Set inbound default policy to drop

curl 'https://api.scaleway.com/instance/v1/zones/fr-par-1/security_groups/2d9674a0-15f2-496e-a296-b16c98ba88ee' -X PUT -H "x-auth-token: $SCW_TOKEN" -H 'Content-Type: application/json;charset=utf-8' --data '{"inbound_default_policy":"drop"}' | jq

9 . Set outbound default policy to drop

curl 'https://api.scaleway.com/instance/v1/zones/fr-par-1/security_groups/2d9674a0-15f2-496e-a296-b16c98ba88ee' -X PUT -H "x-auth-token: $SCW_TOKEN" -H 'Content-Type: application/json;charset=utf-8' --data '{"outbound_default_policy":"drop"}' | jq

10 . Set outbound default policy to accept

curl 'https://api.scaleway.com/instance/v1/zones/fr-par-1/security_groups/2d9674a0-15f2-496e-a296-b16c98ba88ee' -X PUT -H "x-auth-token: $SCW_TOKEN" -H 'Content-Type: application/json;charset=utf-8' --data '{"outbound_default_policy":"accept"}' | jq