How to Activate a Stateful Cloud Firewall
Firewall and Security Groups Overview
A firewall controls incoming and going traffic based on predefined security rules. Typically it establishes a barrier between a trusted (internal) network and untrusted external network, like the Internet.
At Scaleway, you have the possibility to use security groups. Security groups enable to create rules that either drop or allow incoming traffic from or to certain ports of your server.
It is possible to configure a security group using the following configuration utilities:
For more information, you can refer to our Network FAQ.
Requirements:
- You have an account and are logged into console.scaleway.com
- You have configured your SSH Key
Creating a Security Group via the Scaleway Console
1 . In the Compute section of the side menu, click Instances. The virtual instances list displays.
2 . Click the Security Group tab to enter the security group configuration:
3 . Hover over the + button and click Create a Security Group.
4 . The security group creation page displays.
Fill in the following information for your security group:
- a Name of your choice
- a Description of the security group
- a Region in which the security group is available
- The Security Group rules to be applied
- One or multiple Instances to apply the security group on
5 . Click Create a new security group to add the newly created group to your security group configuration.
By default security groups are stateful. To configure a stateless security group, uncheck the corresponding box on the security groups overview page:
Configuring a Security Group via the Scaleway Console
The security group configuration is based on a set of inbound and outbound rules.
By default a new security group is empty, with an exception of rules for outbound SMTP connections. These connections are blocked by default for security reasons.
Tick the Enable SMTP box to disable these rules and to be able to send outgoing emails from your instance.
- Click Add inbound rule to add inbound rules.
- Click Add outbound rule to add outbound rules.
Add a new rule as follows:
- Rule: The value can either be
Dropto drop connections that match the rule orAcceptto accept these connections. - Protocol: This field specifies the protocol on which the rule applies. The value can either be
TCP,UDPorICMP. - Port: This field specifies the [port](https://en.wikipedia.org/wiki/Port_(computer_networking) on which the rule applies. If the
All Portsbox is tickets, the rule applies to all ports. - IP Range: The IP range in CIDR notation on which the rule applies.
Note: Security Group rules are treated in their order. This means you must allow connections to certain ports before denying connections to any other port.
Editing a Security Group via the Scaleway Console
1 . In the Security Group tab, click on the security group you want to edit or use the dropdown menu on the right … > More info:
2 . The security group details displays:
In the Overview section, you can:
- Add a description to the security group
- Set the security group as organization default
- Enable or disable the SMTP ports. We recommend blocking SMTP outbound traffic to avoid mail spamming.
- Enable or disable stateful security group rules
- Delete the security group
In the Instances section, you can:
- Add a new virtual instance to the security group
- Unlink a virtual instance from the security group
In the Rules section, you can:
- Set the security groups default rules:
- Inbound default policy: whether you want to allow or not all incoming traffic to your server. We recommend blocking incoming traffic by default to prevent intrusions.
- Outbound default policy: whether you want to allow or not all outgoing traffic from your server.
- Update the security groups inbound and outbound rules
Creating a Security Group via the Scaleway API
1 . Generate a token from your Scaleway console, if you do not have one yet.
2 . Define a SCW_TOKEN variable from your token id
export SCW_TOKEN='token_uuid'
3 . Retrieve your organization ID through the API. Replace the X-Auth-Token value with your generated token.
% curl https://account.scaleway.com/organizations -H "X-Auth-Token: fa633f07-c2e9-4f06-b651-011d5330e58f"
{
"organizations": [
{
-> "id": "000a115d-2852-4b0a-9ce8-47f1134ba95a",
"name": "jsnow@got.wint",
"users": [
{
...
}
]
}
]
}
In the above example, the organization ID is 000a115d-2852-4b0a-9ce8-47f1134ba95a.
4 . Depending on your instance location, you can use the base URL https://cp-par1.scaleway.com or https://cp-ams1.scaleway.com
5 . Retrieve your security group.
curl 'https://api.scaleway.com/instance/v1/zones/fr-par-1/security_groups' -H "x-auth-token: $SCW_TOKEN" | jq
6 . Create a new security group
curl 'https://api.scaleway.com/instance/v1/zones/fr-par-1/security_groups' -H "x-auth-token: $SCW_TOKEN" -H 'Content-Type: application/json;charset=utf-8' --data '{"organization":"717ff161-41a6-4458-b4f8-e6d07d7d9562","name":"New group","description":"new"}' | jq
7 . Set the stateful option on the security group
curl 'https://api.scaleway.com/instance/v1/zones/fr-par-1/security_groups/2d9674a0-15f2-496e-a296-b16c98ba88ee' -X PUT -H "x-auth-token: $SCW_TOKEN" -H 'Content-Type: application/json;charset=utf-8' --data '{"stateful":true}' | jq
8 . Set inbound default policy to drop
curl 'https://api.scaleway.com/instance/v1/zones/fr-par-1/security_groups/2d9674a0-15f2-496e-a296-b16c98ba88ee' -X PUT -H "x-auth-token: $SCW_TOKEN" -H 'Content-Type: application/json;charset=utf-8' --data '{"inbound_default_policy":"drop"}' | jq
9 . Set outbound default policy to drop
curl 'https://api.scaleway.com/instance/v1/zones/fr-par-1/security_groups/2d9674a0-15f2-496e-a296-b16c98ba88ee' -X PUT -H "x-auth-token: $SCW_TOKEN" -H 'Content-Type: application/json;charset=utf-8' --data '{"outbound_default_policy":"drop"}' | jq
10 . Set outbound default policy to accept
curl 'https://api.scaleway.com/instance/v1/zones/fr-par-1/security_groups/2d9674a0-15f2-496e-a296-b16c98ba88ee' -X PUT -H "x-auth-token: $SCW_TOKEN" -H 'Content-Type: application/json;charset=utf-8' --data '{"outbound_default_policy":"accept"}' | jq