Learn how to configure the Edge Network Firewall for your services.
To protect customer services exposed on public IP addresses, OVHcloud offers a stateless firewall that is configured and integrated into the Anti-DDoS infrastructure: the Edge Network Firewall. It allows to limit service exposure to DDoS attacks, by dropping specified network flows coming from outside of the OVHcloud network.
OVHcloud Anti-DDoS infrastructure and game protection services diagram.
Requirements
- an OVHcloud service exposed on a dedicated public IP address (Dedicated server, VPS, Public Cloud instance, Hosted Private Cloud, Additional IP, etc.)
- access to the OVHcloud Control Panel
Instructions
The Edge Network Firewall reduces exposure to network DDoS attacks by allowing users to copy some of the server's firewall rules to the edge of the OVHcloud network. This blocks incoming attacks as close to their source as possible, reducing the risk of saturating server resources or rack connections in the event of major attacks.
Enabling Edge Network Firewall
From the OVHcloud Control Panel:
- Click on
Bare Metal Cloud
. - In the left-hand menu, under Network, click
IP
. - You can use the drop-down menu underneath "My public IP addresses and associated services" to filter your services according to category.
- Next, click the more options
...
button to the right of the relevant IPv4 and first selectEnable Edge Network Firewall
.
Click Confirm
in the pop-up window.
Once the firewall is created, reopen the more options ...
menu. Here you will see a few options that will be useful moving forward in this guide:
- Click here to enable/disable the firewall.
- Add rules to customize your firewall. You can set up to 20 rules per IP.
Click Edge Network Firewall configuration
to begin.
Please note that you should configure your own local firewalls even if the Edge Network Firewall has been configured, as its main role is to handle traffic from outside of the OVHcloud network.
If you have configured some rules, we recommend that you check them regularly or when changing how your services are working. As previously mentioned, the Edge Network Firewall will be automatically enabled in case of a DDoS attack even when disabled in your IP settings.
- UDP fragmentation is blocked (DROP) by default. When enabling the Edge Network Firewall, if you are using a VPN, remember to configure your Maximum Transmission Unit (MTU) correctly. For example, with OpenVPN, you can check
MTU test
. - The Edge Network Firewall (ENF) integrated into the scrubbing centers (VAC) only handles network traffic coming from outside the OVHcloud network.
Configure the Edge Network Firewall
For more information, please refer to the following guide: Configuring the Firewall on Windows.
To add a rule:
Click + Add a rule
.
For each rule (excluding TCP), you must choose:
- A priority (from 0 to 19, 0 being the first rule to be applied, followed by the others)
- A more (
Refuse
orAuthorise
) - The protocol
- Source IP (optional)
For each TCP rule, you must choose:
- A priority (from 0 to 19, 0 being the first rule to be applied, followed by the others)
- A mode (
Refuse
orAuthorise
) - The protocol
- Source IP (optional)
- The source port (optional)
- The destination port (optional)
- The TCP state (optional)
- Fragments (optional)
Configuration example:
- Priority 0: Authorise TCP established
- Priority 1: Authorize UDP source port 53.
- Priority 2: Authorize ICMP
- Priority 19: Refuse IPv4
Once you have your rules in place, you can enable/disable your firewall from the IP screen or the configuration screen (shown below).
Configuration example
To make sure that only the standard ports for SSH (22), HTTP (80), HTTPS (443), and UDP (53) are left open when authorizing the ICMP, follow the rules below:
The rules are sorted from 0 (the first rule read) to 19 (the last). The rule chain stops as soon as a rule is applied to the packet.
For example, a packet for TCP port 80 will be intercepted by rule 2 and the rules that follow will not be applied. A packet for TCP port 25 will only be captured by the last rule (19), which will block it because the firewall does not allow communication on port 25 in the previous rules.
Attack mitigation - scrubbing center activity
Our Anti-DDoS infrastructure (VAC) has two modes of operation: automatic and permanent. The mitigation process is done via the automated scrubbing center. This is where our advanced technology takes a deep look at the packets and attempts to remove DDoS traffic while allowing legitimate traffic to pass through.
-
Automatic mitigation is the default: All OVHcloud IPs are under automatic mitigation. Usually, this is the best choice for your services. In case any malicious traffic is detected, the scrubbing center activates. This state is indicated by the "Forced" status for a given IP address. At this time the Edge Network Firewall is also active. The situation comes back to normal when the attack is mitigated and no more suspicious activity is observed.
-
Permanent mitigation mode can be enabled or disabled via the OVHcloud Control Panel. With permanent mitigation, you permanently apply the first level of filtering so all traffic will always pass through the mitigation system before reaching the server. We do not recommend enabling this for longer periods unless you are experiencing latency jitter due to the scrubbing center redirecting the traffic too frequently.
Please note that compared to automatic mode, there is no increase in the level of protection when this mode is enabled.
To enable it, follow these steps:
- Click on the
Bare Metal Cloud
menu. - In the left-hand sidebar, under Network, click
IP
. - Next, click the more options
...
button to the right of the relevant IPv4 and selectScrubbing Centre: permanent
.
To do this, Edge Network Firewall rules must be created but disabled.
Please note that our Anti-DDoS infrastructure cannot be disabled on a service. All OVHcloud products are delivered within the scope of protection and this cannot be changed.
Network Security Dashboard
For a detailed insight into detected attacks and the results of scrubbing center activities, we encourage you to explore our Network Security Dashboard.
Conclusion
After reading this tutorial, you should be able to configure the Edge Network Firewall to improve the security of your OVHcloud services.
Go further
See our Protecting a Game Server with the Application Firewall guide.
For more information and tutorials, please see our other Dedicated Servers support guides or explore the guides for other OVHcloud products and services.