Skip to main content
IMHCloud Logo
Back to glossary

Firewall Rule

A firewall rule is a configuration statement that permits or denies network traffic based on specific criteria, specifying which connections are allowed based on protocol, port, and IP address.

SecurityNetworking

What is a Firewall Rule in cloud hosting?

A firewall rule is a configuration statement that permits or denies network traffic based on specific criteria. Each rule defines which connections are allowed to reach or leave a resource by specifying the protocol, port, and source or destination IP address.

When you create a firewall rule, you tell the cloud platform exactly which traffic should pass through and which traffic should be blocked. The rule is evaluated every time a connection attempt is made to determine if the connection should succeed or fail.

Why Firewall Rules Exist

Without firewall rules, every resource you launch in the cloud would be accessible from any IP address on any port. This creates immediate security vulnerabilities because attackers can probe your servers, attempt unauthorized access, and exploit open services. Every service running on a server listens on a port, and without explicit rules, all ports would be accessible to everyone.

Firewall rules solve this problem by requiring you to explicitly define which traffic is permitted. If you do not create a rule allowing a specific type of connection, that connection is blocked by default. This default-deny approach forces you to think about which services need to be accessible and from where, reducing the attack surface of your infrastructure.

What Do Firewall Rules Actually Do?

  • Filters incoming connections by comparing each connection attempt against the rule's criteria before allowing traffic to reach the resource
  • Filters outgoing connections by evaluating traffic leaving the resource to ensure it matches permitted protocols and destinations
  • Blocks connections immediately if the protocol, port, or IP address does not match any allow rule, preventing the connection from completing
  • Permits traffic only when criteria match by checking the source IP, destination port, and protocol against the rule you defined
  • Applies to all matching resources when attached to a security group, affecting every instance associated with that group
  • Takes effect immediately after creation or modification, changing which connections succeed or fail without restarting resources

When Would I Use Firewall Rule?

You create firewall rules whenever you launch resources that need network connectivity. For example, you create a rule allowing port 22 from your office IP address when you need SSH access to manage a server. You create a rule allowing port 443 from any IP when you run a public web application that must be accessible to customers worldwide.

You add rules progressively as you build your infrastructure. When you deploy a database server, you create a rule allowing port 5432 only from the IP addresses of your application servers. When you add a monitoring system, you create a rule allowing the monitoring service to connect on its required port. Each new service or access requirement means creating a corresponding firewall rule.

You modify firewall rules when access requirements change. If your office moves and your IP address changes, you update the SSH rule with the new source IP. If you retire an old application server, you remove the rule that allowed it to access your database. Managing firewall rules is an ongoing task as your infrastructure evolves.

When Would I NOT Use Firewall Rule?

You would not use individual firewall rules when managing complex environments with dozens of resources. Instead, you would use security groups to manage collections of rules applied to multiple resources simultaneously. Creating individual rules for each resource becomes impractical and error-prone at scale.

You would not create overly permissive rules that defeat the purpose of the firewall. For example, creating a rule that allows all traffic on all ports from any IP address provides no security benefit. If you find yourself creating such rules, you need to reconsider your network architecture or determine which specific services actually need access.

You would not use firewall rules as your only security mechanism. Firewall rules control network access, but they do not authenticate users, encrypt data, or protect against application-layer attacks. You must combine firewall rules with proper authentication, TLS encryption, application security measures, and regular security updates.

Real-World Example

Company A runs a web application on three instances in their cloud environment. They create a security group with the following firewall rules. The first rule allows TCP traffic on port 443 from any source IP address (0.0.0.0/0), permitting customers to access the HTTPS website from anywhere on the internet. The second rule allows TCP traffic on port 22 from their office IP address (203.0.113.50/32), permitting their administrators to SSH into the servers for maintenance.

Company A's database server runs in a separate instance with its own security group. They create a rule allowing TCP traffic on port 5432 from the three web server IP addresses only. This prevents any other resource or external attacker from accessing the database directly. When a web server needs to query the database, the firewall rule permits the connection because the source IP matches one of the three allowed addresses.

When Company A's office changes locations and gets a new IP address, SSH connections from administrators suddenly fail. Their firewall rule still references the old office IP (203.0.113.50), so all SSH attempts from the new IP (203.0.113.100) are blocked. They update the rule to specify the new IP address, and SSH access resumes immediately without restarting any instances.

Frequently Asked Questions

Do I need separate firewall rules for IPv4 and IPv6?

Yes, if your cloud environment supports both IPv4 and IPv6. You need to create one rule specifying the IPv4 source address range (such as 203.0.113.0/24) and another rule specifying the IPv6 source address range (such as 2001:db8::/32). If you only create an IPv4 rule, IPv6 connections will be blocked. You should create both sets of rules if you expect traffic from both IP versions.

What happens if I create conflicting firewall rules?

Cloud platforms typically apply an allow-first approach. If any rule permits the traffic, the connection succeeds even if another rule might seem to deny it. However, you should avoid creating ambiguous rule sets because different platforms may handle conflicts differently. The best practice is to create specific, non-overlapping rules with clearly defined criteria to eliminate any confusion about which traffic is permitted.

Can I test firewall rules before applying them to production?

Yes, you should test firewall rules in a non-production environment first. Create a test instance with the same security group configuration and attempt connections that should succeed and connections that should fail. Verify that permitted traffic works and blocked traffic is denied before applying the rules to production resources. This prevents accidentally blocking legitimate traffic or accidentally allowing unauthorized access.

How do I debug when a connection fails due to firewall rules?

Check your security group configuration to see if any rule allows the specific protocol, port, and source IP for the failing connection. If no rule permits that combination, you need to add a new rule. Test by temporarily allowing traffic from a broader IP range to confirm the firewall is the issue, then narrow the rule to the specific IP addresses that need access. Always revert overly permissive test rules immediately after diagnosis.

Do firewall rules protect against application vulnerabilities?

No, firewall rules only control which network connections reach your application. They do not inspect the content of those connections or protect against vulnerabilities in your application code. If you allow port 443 traffic and your web application has a SQL injection vulnerability, the firewall rule will not prevent an attacker from exploiting it. You must secure your application code, use prepared statements, validate input, and apply security updates separately from configuring firewall rules.

Summary

  • A firewall rule is a configuration statement that permits or denies network traffic based on protocol, port, and IP address criteria
  • Firewall rules prevent unauthorized access by blocking all traffic except connections you explicitly allow
  • You create firewall rules whenever you launch cloud resources that need network connectivity and modify them as your infrastructure evolves
  • Firewall rules must be combined with authentication, encryption, and application security measures for comprehensive protection
  • Each rule takes effect immediately and filters both incoming and outgoing connections without requiring resource restarts

Related Terms

  • Security Group (collection of firewall rules for cloud resources): A security group is a named set of firewall rules that you apply to instances, such as allowing SSH access on port 22 from specific IP ranges or permitting HTTP traffic on port 80 from any source.
  • Instance (virtual machine): An instance is a virtual server running in the cloud where you apply firewall rules to control which network connections can reach the server, such as allowing database connections on port 3306 only from your application servers.
  • Port (network endpoint for a service): A port is a numbered endpoint where network services listen for connections, such as port 443 for HTTPS traffic or port 5432 for PostgreSQL database connections.