.dev/infrastructure

Networking

Firewall / access control

Firewalls and access control policies define which traffic is allowed into or out of servers and services. They are an essential layer of security, reducing the risk of unauthorized access while ensuring that legitimate users and applications can connect.

Where Firewall Rules Are Managed

Firewall rules can be managed at different layers depending on how a service is hosted:

  • Cloud provider firewalls – Most cloud providers offer built-in network security groups or firewall services. These rules are enforced before traffic ever reaches a virtual machine or container.

  • Local VM firewalls – Operating systems such as Linux (iptables, ufw, firewalld) and Windows (Windows Defender Firewall) allow rules to be set at the machine level. These are often used in combination with provider-level firewalls for defense in depth.

Exmple of using using ufw (Uncomplicated Firewall)

# Deny everything by default
sudo ufw default deny incoming
sudo ufw default allow outgoing


# Allow HTTPS and SSH
sudo ufw allow 443/tcp
sudo ufw allow 22/tcp


# Enable the firewall
sudo ufw enable


# Check status
sudo ufw status verbose

In most cases, cloud firewalls handle the broad access rules, while VM-level firewalls enforce service-specific restrictions.

Standard Rules

Some firewall rules are common across most environments:

  • Allow HTTPS (port 443) for secure web traffic.

  • Allow HTTP (port 80), often just for redirecting to HTTPS.

  • Allow SSH (port 22) or RDP (port 3389) for administrative access, usually restricted to trusted IP addresses or VPNs.

  • Block all other unused ports by default.

This "default deny, allow specific" model ensures only necessary traffic is exposed.

Access Control Policies

Firewalls are only part of access control. Depending on sensitivity, additional measures may be applied:

  • VPN access – administrators connect through a secure VPN before reaching internal servers.

  • IP whitelisting – only known, trusted IP addresses are allowed to access certain services (e.g. staging environments or admin dashboards).

  • Private endpoints – cloud providers support private networking, ensuring that services like databases or storage can only be reached from within a specific virtual network.

These methods help reduce exposure and limit access to authorized individuals or systems only.