---
title: Firewall
url: https://docs.vultr.com/products/compute/kubernetes/features/firewall
description: A security feature that allows you to control network traffic to your Vultr Kubernetes Engine cluster by defining access rules.
publish_date: 2024-09-23T20:20:42.013202Z
last_updated: 2026-05-26T19:00:46.718839Z
---

# How to Enable Firewall for Vultr Kubernetes Engine Cluster

Vultr Kubernetes Engine (VKE) cluster Firewall is a critical security feature within VKE cluster that allows you to control and protect network traffic to and from your VKE cluster. By enabling VKE cluster Firewall, you can define specific rules that ensure only authorized connections are allowed, enhancing the security of your containerized applications.

Follow this guide to enable Firewall for your Vultr Kubernetes Engine cluster on your Vultr account using the Vultr Console, API, CLI, or Terraform.

=== "Vultr Console"

    1. Navigate to **Products** and click **Kubernetes**.
    1. Click your target VKE cluster to open its management page.
    1. Click **Firewall**.
    1. Click **Enable Firewall** to deploy a Firewall for the target VKE cluster.
    1. Click **firewall group** to manage Firewall rules.
    1. Add Firewall rules according to requirements.

=== "Vultr API"

    1. Send a `GET` request to the [**List Regions** endpoint](https://www.vultr.com/api/#tag/region/operation/list-regions) and note your target Vultr region ID.

        ```console
        $ curl "https://api.vultr.com/v2/regions" \
            -X GET \
            -H "Authorization: Bearer ${VULTR_API_KEY}"
        ```

    1. Send a `GET` request to the [**List available plans in region** endpoint](https://www.vultr.com/api/#tag/region/operation/list-available-plans-region) to view all available instance plans in your chosen region and note the target node pool plan.

        ```console
        $ curl "https://api.vultr.com/v2/regions/{region-id}/availability" \
            -X GET \
            -H "Authorization: Bearer ${VULTR_API_KEY}"
        ```

    1. Send a `GET` request to the [**Get Kubernetes Versions** endpoint](https://www.vultr.com/api/#tag/kubernetes/operation/get-kubernetes-versions) and note your target Kubernetes version to use.

        ```console
        $ curl "https://api.vultr.com/v2/kubernetes/versions" \
            -X GET \
            -H "Authorization: Bearer ${VULTR_API_KEY}"
        ```

    1. Send a `POST` request to the [**Create Kubernetes Cluster** endpoint](https://www.vultr.com/api/#tag/kubernetes/operation/create-kubernetes-cluster) to create a VKE cluster with Firewall enabled. Post-creation, note the cluster's ID.

        ```console
        $ curl "https://api.vultr.com/v2/kubernetes/clusters" \
            -X POST \
            -H "Authorization: Bearer ${VULTR_API_KEY}" \
            -H "Content-Type: application/json" \
            --data '{
                "label": "{cluster-name}",
                "region": "{region-id}",
                "version": "{kubernetes-version}",
                "enable_firewall": true,
                "node_pools": [
                    {
                        "node_quantity": {number-of-nodes},
                        "label": "{node-label}",
                        "plan": "{node-plan}"
                    }
                ]
            }'
        ```

        Upon enabling the Firewall for your target cluster, [create a Firewall group](https://www.vultr.com/api/#tag/firewall/operation/create-firewall-group) and [add Firewall Rules](https://www.vultr.com/api/#tag/firewall/operation/post-firewalls-firewall-group-id-rules) to manage network traffic for your VKE cluster.


    1. Send a `GET` request to the [**Get Kubernetes Cluster** endpoint](https://www.vultr.com/api/#tag/kubernetes/operation/get-kubernetes-clusters) to get the details of the target VKE cluster.

        ```console
        $ curl "https://api.vultr.com/v2/kubernetes/clusters/{cluster-id}" \
            -X GET \
            -H "Authorization: Bearer ${VULTR_API_KEY}"
        ```

=== "Vultr CLI"

    1. List all Vultr regions and note your target region ID.
     
        ```console
        $ vultr-cli regions list
        ```

    1. List all available instance plans in your target region and note the target node pool plan.

        ```console
        $ vultr-cli regions availability <region-id>
        ```

    1. List all available Kubernetes versions and note your target version to use.

        ```console
        $ vultr-cli kubernetes versions
        ```

    1. Create a VKE cluster with Firewall enabled and note the target cluster's ID.

        ```console
        $ vultr-cli kubernetes create --label "<cluster-name>" --region "<region-id>" --version "<kubernetes-version>" --enable-firewall true --node-pools "quantity:<number-of-nodes>,plan:<node-plan>,label:<node-label>"
        ```

        Upon enabling the Firewall for your target cluster, create a Firewall group and add Firewall Rules to manage network traffic for your VKE cluster.

    1. Get the deatils of the target VKE cluster.

        ```console
        $ vultr-cli kubernetes get <cluster-id>
        ```

=== "Terraform"

    1. Open your Terraform configuration for the existing VKE cluster.

    1. Enable the cluster firewall and apply.

        ```terraform
        resource "vultr_kubernetes" "vke" {
            # ...existing fields (label, region, version, node_pools)
            enable_firewall = true
        }
        ```

        Optional: Manage firewall rules with `vultr_firewall_group` and `vultr_firewall_rule` resources if you need custom ingress/egress policies.

    1. Apply the configuration and observe the following output:

        ```
        Apply complete! Resources: 0 added, 1 changed, 0 destroyed.
        ```