Protecting your instances with a firewall

A network firewall is the highest-leverage security measure you can take after SSH key auth. Lite includes one built into the portal — you create a named rule set, attach it to one or more instances, and only the traffic you explicitly allow gets through. Most production workloads should set one up before going live.

How firewalls work in Lite

• A firewall is a named IPv4 rule set with up to 50 rules.
• Each instance can have one firewall attached at a time.
• A single firewall can protect multiple instances — if you have a fleet of identical web servers, one firewall covers all of them.
• Rules can use CIDR sources, "Any" (open), or the "Cloudflare" preset that whitelists Cloudflare’s edge IPs.
• Rule changes propagate within roughly 10 minutes after you save.

A sensible starter rule set

For a typical web-serving VPS, a firewall like this gives you the right baseline — only SSH from your operator IPs, only HTTP/HTTPS from the world, everything else implicitly blocked.

Creating and attaching a firewall

1. Go to Network → Firewall → Create. Give the firewall a name and short description.
2. Open the new firewall and add rules one by one. The portal includes application presets (SSH, HTTP, HTTPS, common databases) so you do not have to remember port numbers.
3. Open the instance detail page for the VM you want to protect, click Assign Firewall, and pick the firewall you just created. The same firewall can be reused on multiple instances.
4. Wait up to ~10 minutes for rules to propagate, then verify externally (curl from outside, nmap, etc.).

Cloudflare-fronted services

If your service sits behind Cloudflare, set the source on your HTTP/HTTPS rules to the "Cloudflare" preset instead of "Any". This restricts your origin to only accept connections from Cloudflare’s edge — anyone hitting your origin IP directly is blocked, neutralizing direct origin scans and bypassing-the-CDN attacks.