Unit 2.6: Security Services
Introduction
Imagine building a modern city. You need security systems - traffic lights, surveillance cameras, access gates - to keep everything running safely. Your cloud environment requires similar layers of protection beyond basic compute and storage. You need firewalls to control who can reach your resources, shields against large-scale attacks, and tools to manage the credentials and certificates that prove identity across your infrastructure.
In this unit, you will explore IONOS Cloud's security services that protect your network and manage credentials. We will cover firewall management with Network Security Groups, defense against DDoS attacks, and centralized handling of SSL/TLS certificates and SSH keys.
1. Network Security Services
IONOS Cloud provides security tools that help you control network access and protect against threats. Think of these as the security gates and guard systems for your digital infrastructure.
1.1 Network Security Groups (NSGs)
Network Security Groups are IONOS Cloud's virtual firewall building blocks for a Virtual Data Center (VDC). They act as centralized firewall policy managers that filter and control inbound (ingress) and outbound (egress) traffic for the resources they protect. Instead of managing individual firewall rules for each virtual machine individually, NSG can be used to apply rules to a group of VMs, thus enhancing efficiency when deploying many virtual machines that would have a similar set of firewalling rule requirements.
How NSGs work:
- NSGs can be attached to Network Interface Cards (NICs) or entire Virtual Machines (VMs)
- When a VM is a member of an NSG, all of its NICs automatically inherit the group's rules
- They contain a set of security rules based on source/destination IPs, ports, and protocols
- Any traffic not explicitly allowed by a rule is automatically denied (default-deny approach)
NSG types:
| Type | Purpose | Application |
|---|---|---|
| Default NSG | Created only if you select the option when creating the VDC (DCD checkbox or API flag), not automatic for every VDC | Once created, it applies to all new VMs in that VDC unless you specify otherwise, providing baseline protection |
| Custom NSG | Created for specific security requirements | Attached to individual VMs or NICs for fine-grained control |
When to use Network Security Groups:
You should use NSGs whenever you need centralized firewall management across your VDC. They are particularly valuable when you want to control both inbound and outbound traffic at the VM or NIC level, require fine-grained access control for specific workloads, or need to quickly adapt security as your business or threat landscape changes. NSGs help you avoid duplicated firewall configurations by letting you attach the same security policy to multiple resources.
Key security benefits:
- Stateful virtual firewall that tracks connections and automatically allows return traffic
- Centralized policy management in one place for an entire VDC
- Fine-grained, per-resource control for precise rule application
- Default protection with minimal effort for all new VMs
- Streamlined management and compliance with easier auditing
1.2 DDoS Protect
DDoS protection in IONOS Cloud is a managed defense service that safeguards your resources against Distributed Denial-of-Service attacks. When an attack is detected, traffic is redirected to IONOS's filtering and scrubbing platform. Malicious packets are removed and only genuine traffic is forwarded to the original destination, keeping your applications available even under heavy attack.
Protection scope:
DDoS Protect defends against Layer 3 and Layer 4 attacks (such as UDP floods, SYN floods, and other volumetric and protocol-based attacks) for every resource in all IONOS data centers. This network-level protection ensures that your infrastructure remains accessible during attacks.
Available packages:
| Package | Protection Level | Features |
|---|---|---|
| DDoS Protect Basic | Automatic, always-on | Enabled for all users, no configuration required. Provides detection, automatic containment, and traffic filtering for common volumetric and protocol attacks |
| DDoS Protect Advanced | Enhanced, proactive | Includes everything in Basic plus 24/7 expert support, proactive monitoring, and on-demand IP-specific filtering or attack diagnostics |
The service is cloud-native and always-on, filtering out malicious traffic at the network level without requiring manual intervention. This ensures continuous availability of your workloads during DDoS attacks.
2. Credential and Certificate Management
Managing access credentials and security certificates across cloud resources can become complex as your infrastructure grows. IONOS Cloud provides dedicated services to simplify these critical security tasks.
2.1 Certificate Manager
Certificate Manager is IONOS's dedicated service for handling SSL/TLS certificates across your cloud resources. It simplifies the entire lifecycle of certificates (obtaining, installing, renewing, and revoking) so that web traffic and data exchanged between users and your servers stay encrypted and trusted.
What Certificate Manager does:
- Imports and manages self-managed certificates (including the certificate chain and private key) for use with Application Load Balancers (ALBs) when terminating HTTPS traffic.
- Provides auto-renewable certificates via ACME providers such as Let's Encrypt, DigiCert, Sectigo, GlobalSign, and ZeroSSL
- Auto-renewed certificates can be used with the CDN; the Application Load Balancer requires an imported certificate instead of an auto-renewed one.
- Serves as the central hub for securely provisioning and maintaining TLS certificates
Why use Certificate Manager:
Instead of manually generating, tracking, and renewing certificates across multiple servers, Certificate Manager centralizes this process. You avoid expired certificates that break HTTPS connections, reduce manual effort in certificate renewal, and ensure consistent security across all your web-facing services. The service is generally available, independent of data center location, and works with IONOS Public Cloud resources.
2.2 SSH Key Manager
SSH key management in IONOS Cloud is the centralized handling of public SSH keys used to grant secure, password-less access to Linux-based virtual machines and other compute resources.
How SSH Key Manager works:
The Data Center Designer provides an SSH Keys view where you can store up to 100 public SSH keys. This eliminates the need to copy and paste a key each time you configure access to a new VM. The service supports both saved keys and ad-hoc SSH keys for Dedicated Core servers, vCPU servers, and Cubes.
Key lifecycle actions:
- Add keys by pasting text or uploading a key file
- Edit existing keys to update descriptions
- Set a default key that is pre-selected when configuring SSH access
- Delete keys when they are no longer needed
Why SSH key management matters:
SSH keys replace passwords with stronger, cryptographic authentication for remote logins. Storing keys centrally simplifies VM provisioning. When you create a Linux VM, you can select any stored key from the SSH Keys setting and the key is automatically injected into the VM's image, enabling immediate SSH access without manual key distribution.
Typical workflow:
- Generate a key pair locally using tools like ssh-keygen
- Add the public key to the DCD by pasting or uploading it
- Optionally set it as default for easier selection
- Associate the key with a VM during creation
- Connect to the VM using the corresponding private key
Common Use Cases
Real-world scenarios where these security services are used:
- Multi-Tier Application with Network Security Groups: A software company runs a three-tier application (web, application, and database layers) in IONOS Cloud. They create custom NSGs for each tier as discussed in Section 1.1. The web tier NSG allows inbound HTTPS (port 443) from anywhere but only allows outbound connections to the application tier. The application tier NSG accepts traffic only from the web tier and can connect only to the database tier. The database tier NSG accepts connections only from the application tier. This layered security approach, using the centralized firewall management described in Section 1.1, ensures each tier is isolated and protected according to the principle of least privilege.
- Public-Facing Web Application with DDoS Protection and TLS: An online retailer runs a customer-facing storefront on IONOS Cloud. DDoS Protect Basic (Section 1.2) automatically shields the application from volumetric attacks without any configuration. The team uses Certificate Manager (Section 2.1) to import a TLS certificate for their Application Load Balancer, since the ALB requires an imported certificate rather than an auto-renewed one, ensuring HTTPS is always active.
- Team VM Provisioning with Centralized SSH Keys: A development team of fifteen engineers frequently provisions and decommissions Linux VMs for testing. Instead of distributing SSH keys manually, the team lead uploads each engineer's public key to the SSH Key Manager (Section 2.2) and sets a default key for shared environments. When any team member creates a new VM, they simply select the appropriate key from the stored list, and SSH access is ready immediately after provisioning.
Summary
This unit explored IONOS Cloud's security services that protect your network, defend against attacks, and simplify credential management. Network Security Groups provide centralized, stateful firewall management across your Virtual Data Centers, with both default protection for all VMs and custom policies for specific workloads. DDoS Protect safeguards against network attacks with automatic traffic filtering and optional advanced support.
Certificate Manager simplifies SSL/TLS certificate lifecycle management, while SSH Key Manager centralizes secure access to Linux VMs. Together, these services form the security foundation that protects the compute, storage, and networking resources you explored in earlier units.
Key Points:
- Network Security Groups act as centralized firewall policy managers that filter traffic at the VM and NIC level with default-deny security
- DDoS Protect provides always-on defense against Layer 3 and Layer 4 attacks with automatic traffic filtering
- Certificate Manager and SSH Key Manager centralize security credential management across your cloud resources
Important Terminology:
- Network Security Group (NSG): Virtual firewall that filters inbound and outbound traffic for VMs and NICs based on centrally managed security rules
- DDoS Protect: Managed defense service that redirects attack traffic to filtering platforms while allowing legitimate traffic to reach resources
- Certificate Manager: Service that handles SSL/TLS certificate lifecycle (obtaining, installing, renewing, revoking) for web applications
Next Steps
Continue Learning: Unit 2.7: AI and Container Services
Related Topics:
- Unit 2.1: Core Architectural Components - Understanding VDCs and networking fundamentals
- Unit 3.2: Identity and Access Management - Managing user access and permissions
- Unit 3.5: Security and Compliance - Shared responsibility and security best practices