How to Use the Vultr Firewall with a Vultr Load Balancer

Introduction

The Vultr Firewall is a web-based firewall to protect your cloud servers. The Vultr Load Balancer is a fully-managed solution to distribute traffic across multiple back-end servers. In this guide, you'll learn how to use them together. You'll distribute web traffic with a Load Balancer while protecting the web servers with the Vultr Firewall. If you are new to Vultr Load Balancers, we recommend reading the Load Balancer Quickstart Guide first. You can also learn more in our Vultr Firewall Quickstart Guide.

In this guide, you'll configure the Vultr Firewall to accept traffic from a Vultr Load Balancer, as shown below.

When configured this way, the Vultr Firewall only accepts traffic from the Load Balancer, preventing direct connections to the web servers if users try to bypass the load balancer. Here's a step-by-step guide to creating a secure, load-balanced web cluster behind the Vultr Firewall.

1. Deploy Web Servers and Load Balancer

1. Deploy three web servers in a single location.

2. Navigate to the Load Balancers section of the Vultr Customer Portal.

3. Click the blue plus icon to deploy a load balancer.

4. Choose the same location as your web servers.

5. In Load Balancer Configuration, enter a label and leave the other options at default.

   

6. Leave the default Forwarding Rule for HTTP at port 80.

7. Choose Public in the Private Network section.

8. Do not add any Firewall Rules. The firewall rules in this section are for the Load Balancer Firewall, which is different than the Vultr Firewall. See our article How to Use the Vultr Load Balancer Firewall to learn more.

9. Choose HTTP and Port 80 for Health Checks.

   

10. Click Add Load Balancer.

Wait for the Load Balancer to deploy.

2. Link the Load Balancer to the Web Servers

1. Click your Load Balancer to edit its configuration.

2. Note the URL of this page. The Load Balancer ID is at the end of the query string.

   For example, if your URL is:

    https://my.vultr.com/loadbalancers/manage/?id=11111111-0000-ffff-2222-333444555666

   Then, your Load Balancer ID is 11111111-0000-ffff-2222-333444555666. Note this value. You'll need it when configuring the Vutr Firewall.

3. Add your instances: Click Add Instance.

4. Choose an instance from the drop-down.

5. Click Attach Instance.

6. Repeat steps 3 – 5 for each web server instance.

3. Deploy a Vultr Firewall

1. Navigate to the Add Firewall Group page.

2. Give the firewall group a descriptive name and click Add Firewall Group.

3. Add an inbound IPv4 Rule that accepts HTTP from the Load Balancer source, indicated by 1 in the screenshot below. Enter the Load Balancer ID you noted earlier, indicated by 2.

   

4. Click Linked Instances on the left menu.

5. Link each of the three instances to the firewall group.

   

Conclusion

By linking the Firewall HTTP rule to the Load Balancer source, you've prevented direct access to the web servers. All HTTP traffic to the web servers must travel through the Load Balancer.

You may want to add more rules to the Vultr Firewall to allow HTTPS for a production environment. You may also want to allow SSH with your IP address as the source.

Advanced Configuration

In this article, you've explored the Vultr Firewall. Load Balancers also have their own internal firewall rules, and you can combine these for an advanced configuration as shown below.

In this example, the Load Balancer Firewall accepts traffic from Cloudflare IPs, while the Vultr Firewall accepts traffic from the Load Balancer. All other traffic to the web servers is denied.

You can learn more about the Load Balancer Firewall in our article, How to Use the Vultr Load Balancer Firewall.

More Information

• If you are new to load-balancing network concepts, see the Vultr Load Balancer Quickstart Guide.
• For comprehensive documentation about the Load Balancer features, see the Load Balancer Feature Reference.
• The Vultr Load Balancer has an integrated firewall; learn more in our article How to Use the Vultr Load Balancer Firewall.
• Explore an advanced scenario with private networking and both types of firewalls in How to Configure a Vultr Load Balancer with Private Networking.
• Learn how to configure wildcard SSL on your load balancer in our guide Use a Wildcard Let's Encrypt Certificate with Vultr Load Balancer.