Last Updated: Nov 07, 2025
Introduction
This article explains how to correctly configure firewall rules for Crusoe Cloud managed load balancers. While clients connect to the load balancer’s public VIP, firewall rules must explicitly allow traffic to the private backend VM ports where your services run, not the load balancer VIP itself.
Prerequisites
- Access to the Crusoe Cloud Console or API to manage firewall rules and load balancers.
- Backend VMs or Kubernetes services running within your Crusoe Cloud VPC.
- Understanding of the ports your load balancer listens on (VIP port) and backend service ports.
Step-by-Step Instructions
-
Understanding Firewall Rule Destinations
Crusoe Cloud firewall rules for ingress traffic require the destination to be private IP addresses or subnets within your VPC. Public IP addresses, including load balancer VIPs, are not valid destinations for firewall ingress rules. This design protects your network by explicitly allowing traffic only within private address spaces.
-
Configuring Firewall Rules for Load Balancers
Create firewall ingress rules targeting the backend subnet or specific VM private IPs, not the load balancer VIP.
- The destination ports in firewall rules must match the actual backend service ports (e.g., if backend service listens on port 3282, allow traffic on port 3282).
- The load balancer’s VIP port (e.g., 80 or 443) is the public frontend but is only a routing endpoint, so firewall rules do not apply directly to the VIP.
- Opening only the load balancer's front-end port in the firewall is not sufficient if the backend listens on a different port. The backend port must also be allowed to enable traffic flow.
-
Testing Your Configuration
- Ensure the backend service is running and listening on the correct port inside the VM.
- Confirm the load balancer backend destination port matches this backend service port.
- Verify firewall rules permit ingress traffic for the backend port to the backend subnet or VM IPs.
- Test accessing the service via the load balancer VIP on the public port.
Example
A load balancer listens on public port 80 and forwards traffic to backend VMs on port 3282. Firewall rules must allow ingress traffic on port 3282 to the backend VM subnet. Attempts to open only port 80 or to the VIP as the destination will result in failure.
Example Scenario:
Two backend VMs in a VPC running a web service on port 3282:
-
vm1: Private IP172.27.53.167 -
vm2: Private IP172.27.62.45
Goal: Expose the service via a load balancer on public port 80.
-
crusoe networking load-balancers create \ --name my-web-lb \ --location eu-iceland1-a \ --vpc-network-id <your-vpc-network-id> \ --protocol tcp \ --listener 80,172.27.53.167:3282,172.27.62.45:3282This creates a load balancer with:
VIP port:
80(public-facing)Backend port:
3282(where the service runs) -
Create the Firewall Rule
crusoe networking vpc-firewall-rules create \ --name allow-backend-3282 \ --action allow \ --direction ingress \ --protocols tcp \ --sources 0.0.0.0/0 \ --source-ports 1-65535 \ --destinations 172.27.53.167,172.27.62.45 \ --destination-ports 3282 \ --vpc-network-id <your-vpc-network-id>Key points:
--destinations= backend VM private IPs (not the VIP)--destination-ports= backend service port3282(not VIP port80) -
Verify
curl http://<VIP_ADDRESS>:80Common Mistake
Incorrect Correct --destinations <VIP>--destinations <backend-private-IPs>--destination-ports 80--destination-ports 3282Opening only port
80or targeting the VIP address will result in connection timeout.