Hetzner Cloud Console Firewall: Complete Setup Guide

Uncategorized
By Azon Vault

What is Hetzner Cloud Console Firewall?

The Hetzner Cloud Console Firewall is a built-in network security feature that allows you to control incoming and outgoing traffic to your cloud servers. It provides a simple yet powerful way to protect your infrastructure without needing additional software or hardware firewalls.

Located directly in the Hetzner Cloud Console, this firewall operates at the server level and filters traffic before it reaches your instance. Best of all, it’s completely free to use with any Hetzner Cloud server.

Why You Need a Firewall for Your Cloud Servers

Every cloud server connected to the internet faces potential security threats. Without a firewall, your server is exposed to:

  • Unauthorized access attempts
  • Malicious traffic and DDoS attacks
  • Port scanning and vulnerability probing
  • Data breaches and malware infections

The Hetzner Cloud Firewall acts as your first line of defense, allowing you to define exactly which traffic is permitted and which should be blocked.

Getting Started with Hetzner Cloud Console Firewall

Accessing the Firewall Section

To access the firewall features, log into your Hetzner Cloud Console and navigate to the project where your servers are located. Click on the "Firewalls" option in the left sidebar menu.

Creating Your First Firewall

Follow these steps to create a new firewall:

  1. Click the "Create Firewall" button
  2. Give your firewall a descriptive name (e.g., "web-server-firewall")
  3. Add inbound and outbound rules
  4. Assign the firewall to your servers

Understanding Firewall Rules

Hetzner Cloud Firewall supports two types of rules that give you granular control over your network traffic.

Inbound Rules

Inbound rules control incoming traffic to your server. For a typical web server, you might configure:

  • HTTP (Port 80): Allow traffic from anywhere (0.0.0.0/0)
  • HTTPS (Port 443): Allow traffic from anywhere (0.0.0.0/0)
  • SSH (Port 22): Restrict to your IP address or VPN network
  • ICMP: Allow for ping responses

Outbound Rules

Outbound rules manage traffic leaving your server. Common configurations include:

  • HTTP/HTTPS: Allow outbound web traffic for updates and API calls
  • DNS: Permit UDP port 53 for domain resolution
  • All TCP/UDP: Allow all outbound (default for most use cases)

Common Firewall Configurations

Web Server Firewall

If you’re running a website or web application, use this basic configuration:

  • Inbound: TCP 80 (HTTP) from 0.0.0.0/0
  • Inbound: TCP 443 (HTTPS) from 0.0.0.0/0
  • Inbound: TCP 22 (SSH) from your IP only
  • Outbound: All allowed

Database Server Firewall

For database servers, restrict access more tightly:

  • Inbound: MySQL/PostgreSQL port from your application server’s IP only
  • Inbound: TCP 22 (SSH) from your IP only
  • Outbound: HTTP/HTTPS for external connections

Development Server Firewall

For development environments, you might need more flexibility:

  • Inbound: TCP 22 (SSH) from your IP
  • Inbound: TCP 80/443 from your IP
  • Inbound: Custom ports for your development tools

Best Practices for Hetzner Cloud Firewall

Follow these security best practices to maximize protection:

1. Use the Principle of Least Privilege

Only open the ports your application absolutely needs. If you’re not using a port, keep it closed.

2. Restrict SSH Access

Never leave SSH (port 22) open to the entire internet. Limit it to your specific IP address or use a VPN.

3. Apply Firewalls During Server Creation

When creating new servers, immediately assign an appropriate firewall rather than adding it later.

4. Use Descriptive Names

Name your firewalls clearly (e.g., "production-web-firewall" or "staging-api-firewall") to avoid confusion.

5. Test Your Rules

After applying firewall rules, verify that your services work as expected and that unwanted traffic is actually blocked.

Managing Multiple Firewalls

You can create and manage multiple firewalls within your project. This is useful when:

  • You have different server types requiring different rules
  • You want to test new rules without affecting production
  • You manage multiple environments (development, staging, production)

Each server can only be assigned one firewall at a time, so plan your rule sets accordingly.

Troubleshooting Common Issues

Can’t Connect to Your Server?

If you suddenly lose access after applying firewall rules:

  • Check that your SSH port is open for your current IP address
  • Use the Hetzner Rescue Mode to access your server and modify rules
  • Review the firewall rules in the Console for typos or incorrect configurations

Services Not Working?

Ensure you’ve opened the correct ports and protocol (TCP/UDP) for your application. Some applications require multiple ports.

Frequently Asked Questions

Is Hetzner Cloud Firewall free?

Yes, the Hetzner Cloud Console Firewall is completely free to use with any Hetzner Cloud server. There are no additional charges for creating or applying firewall rules.

Can I use multiple firewalls on one server?

No, each server can only be assigned one firewall at a time. If you need different rule sets, you’ll need to create separate servers or modify the existing firewall rules.

Does the firewall affect internal network traffic?

No, traffic between servers within the same Hetzner Cloud private network is not affected by firewall rules. Firewalls only filter traffic from external sources.

What happens if I don’t assign a firewall?

By default, Hetzner Cloud servers have all ports open to the internet. This is convenient for testing but not recommended for production environments.

Can I change firewall rules after assigning them?

Yes, you can modify firewall rules at any time. Changes take effect immediately without needing to restart your server.

Conclusion

The Hetzner Cloud Console Firewall is an essential tool for securing your cloud infrastructure. It provides robust network security without additional costs and integrates seamlessly with the Hetzner Cloud ecosystem.

By following the best practices outlined in this guide, you can significantly reduce your server’s attack surface and protect your applications from unauthorized access.

Start by auditing your current server configurations and applying appropriate firewalls to each one. Your security posture will improve immediately.

Ready to Secure Your Hetzner Cloud Servers?

Head over to your Hetzner Cloud Console today and create your first firewall. If you need help, Hetzner’s documentation and support team are excellent resources.

Have questions about configuring your firewall? Leave a comment below and we’ll help you get set up correctly.

Azon Vault 5792 posts 0 comments
You might also like More from author

Comments are closed, but trackbacks and pingbacks are open.