Firewalls

Firewall groups are reusable sets of inbound and outbound rules that control which traffic can reach your Skytells instances. Attach a group to one or many instances to enforce a consistent access policy.

A firewall group is a named, reusable collection of network access rules. Each rule specifies a direction (inbound or outbound), a protocol, a port or port range, and the source (for inbound) or destination (for outbound) that the rule permits or denies.

Attaching a firewall group to an instance makes those rules active for all traffic to and from that machine. Multiple instances can share the same firewall group — update the rules once to affect every attached machine.

Why firewall groups exist

Instances provisioned inside a VPC are already isolated from each other across VPCs, but public IP exposure is a separate concern. By default, a new instance has no inbound access permitted from the internet. To open access — for SSH, an HTTP API, a database port — you need an explicit firewall rule.

Firewall groups make this manageable at scale:

Define a rule set once (e.g., "web server: allow 443 from anywhere, allow 22 from internal range only").
Attach it to every instance playing that role.
To change the policy, edit the group — all attached instances are updated.

This is preferable to configuring rules per-instance, which becomes error-prone as fleets grow.

A new instance with no attached firewall group has no inbound traffic allowed from the internet. Attach a firewall group to open specific ports. Outbound traffic is permitted by default unless an outbound rule explicitly restricts it.

Firewall rule anatomy

Each rule in a firewall group has the following fields:

Field	Description
Direction	`Inbound` (traffic arriving at the instance) or `Outbound` (traffic leaving the instance).
Protocol	`TCP`, `UDP`, `ICMP`, or `All`. Most application traffic uses TCP.
Port / Port range	A single port (`443`) or a range (`8000–8100`). Use `All` for protocol-level rules like ICMP.
Source (Inbound)	The IP address or CIDR range permitted to send traffic. Use `0.0.0.0/0` to permit any source; use a specific CIDR to restrict access.
Destination (Outbound)	The IP address or CIDR range the instance is permitted to reach.
Action	`Allow` (most common) or `Deny`. Rules are evaluated top-down; the first match wins.

Common rule patterns

Purpose	Direction	Protocol	Port	Source
HTTPS web traffic	Inbound	TCP	443	`0.0.0.0/0`
HTTP redirect	Inbound	TCP	80	`0.0.0.0/0`
SSH from specific IP	Inbound	TCP	22	Your IP (`/32`)
SSH from internal network	Inbound	TCP	22	VPC CIDR (e.g. `10.0.0.0/8`)
PostgreSQL internal only	Inbound	TCP	5432	VPC CIDR
Block all other inbound	Inbound	All	All	`0.0.0.0/0` — Deny
Allow all outbound	Outbound	All	All	`0.0.0.0/0` — Allow

Avoid leaving SSH (port 22) open to 0.0.0.0/0 in production. Restrict it to your IP or your VPN/bastion CIDR. See Security for platform-wide security recommendations.

Managing firewall groups

Accessing the firewall list

Open the Skytells Console and navigate to Infrastructure.
In the Infrastructure left rail, select Firewalls.
All firewall groups in your account are listed, with their name and the count of attached instances.

Creating a firewall group

From the Firewalls list, select New Firewall Group or the equivalent creation action.
Give the group a descriptive name (e.g., web-server, db-internal-only, bastion).
Add rules one at a time. For each rule: choose direction, protocol, port(s), and source or destination.
Save the group. It is immediately available for attachment.

Editing rules

Open a firewall group from the list.
Add, remove, or modify individual rules.
Save changes. The updated rule set takes effect on all attached instances without requiring a restart.

Attaching a firewall group to an instance

At creation time — when creating a new instance, select the firewall group in the creation form.
After creation — open the instance detail page and update the firewall group assignment. The new rules take effect immediately.

Removing a firewall group from an instance

Removing a group leaves the instance with no firewall rules attached, which means no inbound traffic is permitted (the default-deny baseline applies). Ensure you understand the access impact before detaching.

Firewall groups and VPCs

Firewall rules govern traffic at the IP level — they apply equally to traffic arriving from the public internet and to traffic arriving from other instances (even those in the same VPC).

To allow instance-to-instance communication inside a VPC without going through the public internet:

Both instances must be in the same VPC, so private IP routing is possible.
If firewall groups on those instances have inbound rules that would block private-IP sources, add a rule permitting the VPC's CIDR range.

For most VPC-internal traffic patterns (services calling each other on private IPs), the cleanest approach is a dedicated inbound rule: Allow TCP <port> from <VPC CIDR>.

See VPCs for how to find your VPC's CIDR block.

Security best practices

Principle of least privilege — open only the ports your workload actually requires. Every open port is an attack surface.
Avoid 0.0.0.0/0 on management ports — SSH, RDP, and database ports should never be open to the entire internet.
Separate groups by role — a web tier group, a database tier group, and a management group. Mixing rules from different roles in one group makes auditing harder.
Audit regularly — review your firewall groups periodically. Remove rules for services you no longer run.

For the full platform security posture, see Security.

Instances — virtual machines that firewall groups are attached to.
VPCs — private network boundaries that complement firewall access control.
Infrastructure Overview — the full picture of Skytells' compute and networking layer.
Security — platform-wide security practices and recommendations.
Responsible AI — governance framework that governs Skytells-operated infrastructure (such as Eve's isolated VM runtime).

How is this guide?

On this page