Activate and configure a Firewall for each Network Interface Card (NIC) to better protect your servers from attacks. IONOS Cloud Firewalls can filter incoming (ingress), outgoing (egress), or bidirectional traffic. When configuring firewalls, define appropriate rules to filter traffic accordingly.
To activate a Firewall, follow these steps:
1. In the Workspace, select a Virtual Machine with a NIC.
2. From the Inspector pane, open the Network tab.
3. Open the properties of the NIC for which you want to set up a Firewall.
4. Choose either Ingress, Egress, or Bidirectional traffic flow type for which the Firewall needs to be activated.
Warning: Activating the Firewall without additional rules will block all incoming traffic. Make sure you set the Firewall rules by using Manage Rules.
Result: The Firewall is activated for the selected NIC.
To create a Firewall rule, follow these steps:
1. In the Workspace, select a VM with a NIC.
2. From the Inspector pane, open the Network tab.
3. Open the properties of the NIC for which you wish to manages Firewall Rules.
4. Click Manage Rules.
5. Click Create Firewall Rule and choose from the following type of Firewall rules to add from the drop-down list:
TCP Rule
UDP Rule
ICMP Rule
ICMPv6 Rule
VRRP Rule
GRE Rule
AH Rule
ESP Rule
Any Protocol
6. Enter values for the following in a Firewall rule:
Name: Enter a name for the rule.
Direction Choose the traffic direction between Ingress and Egress.
Source MAC: Enter the Media Access Control (MAC) address to be passed through by the firewall.
Source IP/CIDR: Enter the IP address to be passed through by the Firewall.
Destination IP/CIDR: If you use virtual IP addresses on the same network interface, you can enter them here to allow access.
Port Range Start: Set the first port of an entire port range.
Port Range End: Set the last port of a port range or enter the port from Port Range Start if you only want this port to be allowed.
ICMP Type: Enter the ICMP Type to be allowed. Example: 0 or 8 for echo requests (ping) or 30 for traceroutes.
ICMP Code: Enter the ICMP Code to be allowed. Example: 0 for echo requests.
IP Version: Select a version from the drop-down list. By default, it is Auto.
7. (Optional) You can add Firewall rules from an existing template by using Rules from Template. The Generic Webserver, Mailserver, Remote Access Linux, and Remote Access Windows are the types of Firewall rules you can add from the existing rules template.
8. Alternatively, you may import an existing rule set from the Clone Rules from other NIC.
9. Click Save to confirm creating a Firewall rule.
Result: A Firewall Rule is created with the configured values.
To make sure that high-availability (HA) or setups on your Virtual Machines are effective in case of events such as a physical server failure, you should set up "IP failover groups".
They are essential to all HA or fail-over setups irrespective of the mechanism or protocol used.
Please ensure that the high-availability setup is fully installed on your VMs. Creating an IP failover group in the alone is not enough to set up a failover scenario.
A failover group is characterized by the following components:
Members: The same (reserved, public) is assigned to all members of an IP failover group so that communication within this group can continue in the event of a failure. You can set up multiple IP failover groups. A Dedicated Core Server can be a member of multiple IP failover groups. Dedicated Core Servers should be spread over different Availability Zones. The rules for managing the traffic between your VMs in event of a failure are specified at the operating system level using the options and features for setting up high-availability or fail-over configurations. Users must have access rights for the IPs they wish to use.
Master: During the initial provisioning, the master of an IP failover group in the DCD represents the master of the HA setup on your virtual machines. If you change the master later, you won't have to change the master of the IP failover group in the DCD.
Primary IP address: The IP address of the IP failover group can be provisioned as the primary or additional IP address. We recommend that you provide the IP address used for the IP failover group as the primary IP address, as it is used to calculate the gateway IP, which is advantageous for some backup solutions. Please note that this will replace the previously provisioned primary IP address. When there are multiple IP failover groups in a LAN, a involved in multiple of these groups can only be used once for the primary IP address. The DCD will alert you accordingly.
For technical reasons this feature can only be used subject to the following limitations:
In public LANs that do not contain load balancers.
With reserved public IP addresses only - DHCP-generated IP addresses cannot be used.
Virtual MAC addresses are not supported.
IP failover must be configured for all HA setups.
Prerequisites: Please make sure that you have the privileges to Reserve IPs. You should have access to the required IP address. The LAN for which you wish to create an IP failover group should be public (connected to the Internet), and should not contain a load balancer.
1. In the Workspace, select the required LAN.
2. In the Inspector, open the IP Failover tab.
3. Click Create Group. In the dialog box that appears, select the IP address from the IP drop-down menu.
Select the NICs that you wish to include in the IP failover group by selecting their respective checkboxes.
Select the Primary IP checkboxes for all NICs for which the selected address is to be the primary IP address.
The primary IP address previously assigned to a NIC in another IP failover group is replaced.
Select the master of the group by clicking the respective radio button.
4. Click Create.
5. Provision your changes.
The IP failover group is now available.
1. Click the IP address of the required IP failover group.
2. The properties of the selected group are displayed.
3. To change the IP address, click Change.
4. In the dialog box that appears, select a new IP address.
(Optional) If no IP address is available, reserve a new one by clicking +.
5. Specify the primary IP address by selecting the respective check box.
6. Confirm your changes by clicking Change IP.
7. To Change Master, select the new Master by clicking the respective radio button.
8. To add or remove members Click Manage.
9. Select or clear the checkboxes of the required NICs.
10. Confirm your changes by clicking Update Group.
1. Click the IP address of the required failover group.
2. The properties of the selected IP failover group are displayed.
3. Click Remove. Confirm your action by clicking OK.
4. Provision your changes
The IP failover group is no longer available. The DCD no longer maps your HA setup.
Reserve and return IPv4 addresses for network use.
Create a private network and add internet access.
Activate a multidirectional firewall and add rules.
Ensure that HA setups are available on your VMs.
DCD helps you connect the elements of your infrastructure and build a network to set up a functional virtual data center. Without a connected internet access element, your network is private.
The quickest way to connect elements is to drag them from the Palette directly onto elements that are already in the Workspace. The DCD will then show you whether and how the elements can be connected automatically.
1. Drag the elements from the Palette into the Workspace and connect them through their NICs.
2. In the Workspace, select the required VM; the Inspector will show its properties on the right.
3. From the Inspector pane, open the Network tab. Now you can access NIC properties.
4. Set NIC properties according to the following rules:
MAC: During provisioning, you can specify a custom MAC address. If you do not provide one, a custom address will be automatically assigned. Ensure that any custom MAC address is unicast, adhering to the format xy:xx:xx:xx:xx:xx. Here, x represents any hexadecimal digit (0-9, a-f, A-F), and y must be precisely one of 0, 2, 4, 6, 8, A, C, E (or equivalently a, c, e) to conform with unicast addressing requirements.
Primary IP: The primary IP address is automatically assigned by the IONOS DHCP server. You can, however, enter an IP address for manual assignment by selecting one of the reserved IPs from the drop-down menu. Private IP addresses (according to RFC 1918) must be entered manually. The NIC has to be connected to the Internet.
Failover: If you have an HA setup including a failover configuration on your VMs, you can create and manage IP failover groups that support your HA setup.
Firewall: Configure a firewall.
DHCP: It is often necessary to run a DHCP server in your virtual data center (e.g. PXE boot for fast rollout of VMs). If you use your own DHCP server, clear this check box so that your IPs are not reassigned by the IONOS DHCP server.
Add IP: In order to use "floating" or virtual IPs, you can assign additional IPs to a NIC by selecting them from the drop-down list.
When ready, provision your changes. The VDC will create a private network according to set properties.
1. To split a LAN, select the required LAN in the Workspace.
2. In the Inspector, open the Actions menu and select Split LAN.
3. Confirm by clicking Split LAN.
4. Make further changes to your data center and provision your changes when ready.
The selected LAN is split and new IPs are assigned to the NICs in the new LAN.
1. To merge a LAN, select the required LAN in the Workspace.
2. To integrate this LAN into another LAN.
3. In the Inspector, open the Actions menu and select Merge LAN with another LAN.
4. In the dialog that appears, select the LANs to be merged with the selected LAN.
5. Select the checkboxes of the LANs you wish to keep separate.
6. Confirm by clicking Merge LANs.
(Optional) Make further changes to your data center.
7. Provision your changes
The selected LANs are merged and new IPs are assigned to the NICs in the newly integrated LAN.
A private LAN that is integrated into a public LAN also becomes a public LAN.
Servers with internet access are assigned an IP automatically by the IONOS DHCP server. Please note that multiple servers sharing the same internet interface also share the same subnet. With required permissions, you can add as many internet access elements as you wish.
Users who do not have the permissions to add a new internet access element, can connect to an existing element in their VDC, provided they have the permissions to edit it.
1. To add internet access, drag the Internet element from the Palette onto the Workspace.
2. Connect this element with Servers.
3. Set further properties of the connection at the respective NIC.
If you want to build a network using static IP addresses, IONOS Cloud offers you the option to reserve IPv4 addresses for a fee. You can reserve one or more addresses in an IP block using the DCD's IP Manager.
Note: It is not possible to reserve a specific IPv4 address; you are assigned a random address by IONOS Cloud.
An IP address can only be used in the data center from the region where it was reserved. Therefore, if you need an IP address for your virtual data center in Karlsruhe, you should reserve the IP address there. Each IP address can only be used once, but different IP addresses from a block can be used in different networks, provided these networks are provisioned in the same region where the IP block is located.
Reserving and using IPv4 addresses is restricted to authorized users only. Contract owners and administrators may grant privileges to reserve IP addresses.
Prerequisites: Make sure you have the appropriate permissions. Only contract owners, administrators, or users with the Reserve IP privilege can reserve IP addresses. Other user types have read-only access and can't provision changes.
In the DCD, go to the Menu > Network > IP Management.
In the IP Manager, select + Reserve IPs.
Enter the following IP block information:
Name: Enter a name for the IP block.
Number of IPs: Enter the number of IPv4 addresses you want to reserve.
Region: Enter the location of the IONOS data center where you want your IPs to be available.
Confirm your entries by selecting Reserve IPs.
The number of IPs you have reserved are available as an IP block. The IP block details should now be visible on the right.
IP addresses cannot be returned individually, but only as a block and only when they are not in use.
Note: If you return a static IP address, you cannot reserve it again afterwards.
In the DCD, go to Menu > Management > IP Management.
Ensure the IPs you want to release are not in use.
Select the required IP block.
Select Delete to return the IP block to the pool.
Confirm your action by selecting OK.
The IP block and all IP addresses contained are released and removed from your IONOS Cloud account.
