Back

Concepts

Table of contents

A firewall is a network security solution that monitors and controls inbound and outbound traffic based on predefined filtering rules. The firewall service does not provide DDoS mitigation; its primary function is to act as a barrier between trusted private networks and untrusted public networks, blocking unauthorized traffic.

Infrastructure

The firewall service is a multi-tenant solution based on a clustered architecture, where each firewall instance represents an individual firewall profile, allocated for servers. These instances are created in the customer portal and hosted on shared hardware used by multiple users. Under optimal conditions, a single instance can handle up to 5 Gbps of traffic. High availability is ensured through hardware, network, and power redundancy.

L2 segment compatibility

A VXLAN is created for each firewall instance, serving as the native network for hosts behind the firewall. Hosts staying behind the firewall cannot use native connections to public L2 segments and must utilize tagged trunks instead. All connections to public L2 segments must be configured as tagged trunks.

Impact of firewall changes on server downtime

Some operations may result in brief downtime for protected servers. These include:

  • Creating or deleting a firewall instance leads to downtime for all associated servers

  • Adding or removing a server under the firewall leads to downtime only for this server, other servers will not be affected

Adding, removing, or editing firewall rules does not result in any downtime.

Features

  • Creation and management of filtering rules for inbound and outbound traffic based on IP addresses, ports, and supported protocols, such as TCP, UDP, ICMP

  • Stateful TCP session monitoring and packet filtering

  • Protection of additional public IPv4 addresses

  • Traffic monitoring and anomaly detection

Benefits and use cases

  • Reduces the packet-filtering workload, preventing unwanted traffic from reaching servers

  • Lowers the risk of attacks by blocking unexpected traffic directed at protected nodes

  • Helps prevent data leaks caused by software misconfigurations

Suggested Articles