Firewall as a Service

IBEE Solutions Firewalls let you define inbound traffic rules and attach them to your VMs. Each firewall group contains a set of rules that control which traffic is allowed or dropped before it reaches your server. Firewalls are managed from the portal sidebar under Network.

How firewalls work

  • A firewall group is a named collection of rules. Each organization has a default firewall group.
  • Rules are evaluated in order. Each rule specifies a protocol, port range, source, and action (accept or drop).
  • Firewall groups can be attached to multiple VMs. A VM can have one firewall group at a time.
  • Rules support both IPv4 and IPv6 traffic, managed in separate tabs.

Firewall group structure

Each firewall group has three tabs:

TabContents
IPv4Inbound rules for IPv4 traffic
IPv6Inbound rules for IPv6 traffic
InstancesVMs currently attached to this firewall group

Rule components

Each rule has the following fields:

FieldOptions
ActionAccept (allow traffic) or Drop (block traffic)
ProtocolTCP, UDP, ICMP, or Any
PortPort number, range (e.g. 8000-9000), or all ports
SourceAnywhere (0.0.0.0/0) or Custom CIDR/IP address

Common application ports

The portal offers quick-pick buttons for common services:

ApplicationProtocolPort
SSHTCP22
HTTPTCP80
HTTPSTCP443
MySQLTCP3306
PostgreSQLTCP5432
DNSUDP53
MS RDPTCP3389

System-managed rules

Some rules are system-managed and cannot be edited or deleted. These are marked in the rule list and ensure essential connectivity (e.g., DHCP, metadata service).

Default firewall group

Each organization has a default firewall group. New VMs are automatically associated with it unless you specify a different group during deployment.

Linked instances

The Instances tab shows all VMs attached to the firewall group, including:

  • Instance name
  • Status (running, stopped, etc.)
  • IP addresses
  • OS label

Best practices

  • Start with a deny-all posture and explicitly allow only the ports you need.
  • Use Custom source CIDRs to restrict access to known IP ranges instead of Anywhere.
  • Keep SSH (port 22) access restricted to your office or VPN CIDR.
  • Review attached instances periodically to ensure the right VMs are protected.