CloudNexus Firewall
Stateful Layer 4/7 network security rules for protecting your infrastructure. Configure ingress/egress filtering, rate limiting, and geographic restrictions with zero-downtime deployment.
Overview & Architecture
The CloudNexus Firewall (CN-FW) operates at the network edge, inspecting traffic before it reaches your compute instances. Rules are evaluated in priority order (lowest number first), and the first matching rule determines the action.
Default Behavior
If no rules match, CN-FW defaults to ALLOW for inbound traffic and DROP for outbound traffic to prevent accidental lockouts. This can be overridden via the default_action property.
- Stateful Inspection: Tracks connection state automatically. Reply traffic is allowed without explicit egress rules.
- Global Propagation: Rules deploy to all edge nodes in <300ms via our control plane.
- Protocol Support: TCP, UDP, ICMP, and custom L4/L7 patterns via WAF integration.
Rule Format & Structure
Firewall rules are defined using a JSON-like schema. Each rule must include a priority, action, and at least one match condition.
name: allow-https-ingress
priority: 100
action: ALLOW
direction: INBOUND
match:
protocol: TCP
ports: 443
source_ip: 0.0.0.0/0
metadata:
tags: ["production", "web-tier"]
logging: true| Field | Type | Description | Required |
|---|---|---|---|
name |
string | Human-readable identifier | Yes |
priority |
integer | Evaluated lowest to highest (1-9999) | Yes |
action |
enum | ALLOW, DROP, REJECT, LOG |
Yes |
direction |
enum | INBOUND, OUTBOUND, BOTH |
No (defaults to INBOUND) |
match |
object | Conditions for rule evaluation | Yes |
Configuration Methods
Manage your firewall rules through the dashboard, CLI, or REST API.
CLI Reference
# Create a new rule
cnctl firewall rule create \\
--priority 150 \\
--action DROP \\
--protocol TCP \\
--ports 22 \\
--source "10.0.0.0/8, 192.168.1.100"
# List all active rules
cnctl firewall rule list --output json
# Delete by name
cnctl firewall rule delete "allow-ssh-internal"REST API
curl -X POST https://api.cloudnexus.io/v1/firewall/rules \\
-H "Authorization: Bearer $API_KEY" \\
-H "Content-Type: application/json" \\
-d '{
"name": "block-bot-scanners",
"priority": 50,
"action": "DROP",
"match": {
"protocol": "TCP",
"ports": [80, 443],
"rate_limit": { "requests_per_minute": 100, "window": "1m" }
}
}'Priority Conflicts
Duplicate priority values will be automatically adjusted with a random offset. We recommend spacing priorities by increments of 10 (e.g., 10, 20, 30) for easy future insertions.
Best Practices
- Principle of Least Privilege: Only open ports and IP ranges required for your application. Default deny is strongly recommended for production workloads.
- Explicit Allow, Implicit Drop: Place specific allow rules at lower priorities, and use a broad drop rule at priority 9000+ as a safety net.
- Enable Logging: Set
logging: trueon security-sensitive rules to capture audit trails in the CloudNexus Observability suite. - Use Tags for Scoping: Apply rules to specific resource groups using
metadata.tagsinstead of applying globally. - Regular Audits: Use the
cnctl firewall auditcommand to detect shadowed rules and unused configurations.
Troubleshooting & Debugging
If traffic isn't behaving as expected, verify your rule evaluation order and enable debug logging.
# Enable trace logging for a specific rule
cnctl firewall rule update "allow-api-gateway" --debug true
# View live packet evaluation logs
cnctl firewall logs stream --rule-id fw-8x29a --followCommon Pitfall: Rule Shadowing
If a broader rule with a lower priority matches before a specific rule, the specific rule will never trigger. Use cnctl firewall analyze to visualize rule overlap and priority conflicts.
FAQ
Q: How long does rule propagation take?
A: Typically 150-300ms across all edge regions. Changes are applied atomically to prevent packet drops during updates.
Q: Can I combine WAF and Firewall rules?
A: Yes. CN-FW handles L4 filtering first. If traffic passes, it routes to the WAF engine for L7 inspection. Both can share the same rule priority namespace.