Product reference pages are available in English only.
Security

Network Security Groups

What Is It?

Network Security Groups (NSG) provide firewall rules for VMs and network interfaces. Define inbound and outbound rules to control traffic flow based on ports, protocols, IP addresses, and source MAC addresses. Stateful virtual firewall with deny-by-default posture. Each VDC has a default NSG automatically attached to new VMs, with up to 200 NSGs per VDC (including one default and up to 199 custom) for fine-grained control.

Quick Facts

Aspect Details
Type Stateful virtual firewall
Scope VDC-level (one default per VDC, up to 199 custom NSGs within 200 total quota)
Default NSG Automatically attached to every new VM, pre-configured allow-all-egress and limited ingress
Rule Types INGRESS (inbound), EGRESS (outbound)
Filtering Source/destination IP (IPv4/IPv6), MAC address, protocol, port ranges
Supported Protocols TCP, UDP, ICMP, and others
Default Policy Deny-by-default (only explicitly allowed traffic passes)
Limits 200 NSGs per VDC, 100 rules per NSG, 10 NSGs per VM/NIC

Rule Capabilities

Feature Description
Bidirectional Controls both inbound and outbound traffic
Stateful Automatically allows return traffic for permitted connections
Fine-grained Filter on IP, MAC, protocol, port ranges with wildcard support
Templates Pre-defined rule sets (Remote Access Linux, Generic Webserver, etc.)
Cloning Copy existing rule sets across data centers or NSGs

What You Can Do

Create Custom NSGs

Build custom NSGs with specific rule sets for different security requirements. Up to 200 NSGs per VDC (including one default and custom NSGs). Define precise firewall policies per workload type or security zone.

Define Firewall Rules

Create ingress and egress rules filtering on source/destination IP (IPv4/IPv6), MAC address, protocol (TCP, UDP, ICMP, GRE), and port ranges. Wildcards supported for MAC addresses (IP addresses use standard notation or CIDR blocks).

Note: Rules are deny-by-default; only traffic explicitly permitted passes through.

Use Rule Templates

Apply pre-defined templates for common configurations including Remote Access Linux, Generic Webserver, and other standard patterns. Accelerate secure deployments with consistent rule sets.

Attach NSGs to Resources

Attach NSGs to individual VMs or NICs for layered security. Default NSG automatically attached to new VMs. Add custom NSGs for additional control. VM or NIC can belong to up to 10 NSGs.

Note: Running NSGs in parallel with NIC-level firewall rules is discouraged due to potential conflicts. NSGs act as bidirectional firewalls that may override NIC rules.

Clone Rule Sets

Copy existing rule sets across data centers or NSGs. Ensures consistency across environments. Simplifies multi-region or multi-VDC deployments.

Manage Default NSG

Every VDC has one default NSG with four pre-configured rules (allow-all-egress and limited ingress). Provides ready-to-go baseline security. Can be modified to adjust default behavior for all new VMs.

Best For

Scenario Why It Fits
Multi-tier applications Separate NSGs for web, app, and database tiers with specific ingress/egress rules
Compliance requirements Deny-by-default posture, fine-grained access control, centralized policy management
Development/production separation Different NSGs per environment, clone rule sets for consistency
Public-facing services Precise port and protocol filtering, protect backend resources from unauthorized access
Micro-segmentation Attach multiple NSGs (up to 10) per VM/NIC for layered security policies

Key Considerations

Billing & Costs

  • No separate NSG pricing is published: NSGs and firewall rules do not appear as a line item in the IONOS Cloud price list, and the documentation does not state they are free or included, though no per-rule or per-NSG fee has been found in any surveyed source.

Limitations

  • Maximum 200 NSGs per VDC
  • Maximum 100 rules per NSG
  • Maximum 10 NSGs per VM or NIC
  • Default NSG cannot be deleted (one per VDC)
  • Running NSGs in parallel with NIC-level firewall rules may cause conflicts
  • Rules are deny-by-default (explicit allow required for all traffic)
  • Stateful inspection means return traffic automatically allowed (cannot configure asymmetric rules)

Management Options

  • Data Center Designer (DCD)
  • NSG Manager (create, view, delete NSGs)
  • Rule Manager (create, view, edit, delete rules)
  • Template library for common configurations
  • Cloud API and SDKs
  • Terraform provider