What Is It?
Network Security Groups (NSG) provide firewall rules for VMs and network interfaces. Define inbound and outbound rules to control traffic flow based on ports, protocols, IP addresses, and source MAC addresses. Stateful virtual firewall with deny-by-default posture. Each VDC has a default NSG automatically attached to new VMs, with up to 200 NSGs per VDC (including one default and up to 199 custom) for fine-grained control.
Quick Facts
| Aspect | Details |
|---|---|
| Type | Stateful virtual firewall |
| Scope | VDC-level (one default per VDC, up to 199 custom NSGs within 200 total quota) |
| Default NSG | Automatically attached to every new VM, pre-configured allow-all-egress and limited ingress |
| Rule Types | INGRESS (inbound), EGRESS (outbound) |
| Filtering | Source/destination IP (IPv4/IPv6), MAC address, protocol, port ranges |
| Supported Protocols | TCP, UDP, ICMP, and others |
| Default Policy | Deny-by-default (only explicitly allowed traffic passes) |
| Limits | 200 NSGs per VDC, 100 rules per NSG, 10 NSGs per VM/NIC |
Rule Capabilities
| Feature | Description |
|---|---|
| Bidirectional | Controls both inbound and outbound traffic |
| Stateful | Automatically allows return traffic for permitted connections |
| Fine-grained | Filter on IP, MAC, protocol, port ranges with wildcard support |
| Templates | Pre-defined rule sets (Remote Access Linux, Generic Webserver, etc.) |
| Cloning | Copy existing rule sets across data centers or NSGs |
What You Can Do
Create Custom NSGs
Build custom NSGs with specific rule sets for different security requirements. Up to 200 NSGs per VDC (including one default and custom NSGs). Define precise firewall policies per workload type or security zone.
Define Firewall Rules
Create ingress and egress rules filtering on source/destination IP (IPv4/IPv6), MAC address, protocol (TCP, UDP, ICMP, GRE), and port ranges. Wildcards supported for MAC addresses (IP addresses use standard notation or CIDR blocks).
Note: Rules are deny-by-default; only traffic explicitly permitted passes through.
Use Rule Templates
Apply pre-defined templates for common configurations including Remote Access Linux, Generic Webserver, and other standard patterns. Accelerate secure deployments with consistent rule sets.
Attach NSGs to Resources
Attach NSGs to individual VMs or NICs for layered security. Default NSG automatically attached to new VMs. Add custom NSGs for additional control. VM or NIC can belong to up to 10 NSGs.
Note: Running NSGs in parallel with NIC-level firewall rules is discouraged due to potential conflicts. NSGs act as bidirectional firewalls that may override NIC rules.
Clone Rule Sets
Copy existing rule sets across data centers or NSGs. Ensures consistency across environments. Simplifies multi-region or multi-VDC deployments.
Manage Default NSG
Every VDC has one default NSG with four pre-configured rules (allow-all-egress and limited ingress). Provides ready-to-go baseline security. Can be modified to adjust default behavior for all new VMs.
Best For
| Scenario | Why It Fits |
|---|---|
| Multi-tier applications | Separate NSGs for web, app, and database tiers with specific ingress/egress rules |
| Compliance requirements | Deny-by-default posture, fine-grained access control, centralized policy management |
| Development/production separation | Different NSGs per environment, clone rule sets for consistency |
| Public-facing services | Precise port and protocol filtering, protect backend resources from unauthorized access |
| Micro-segmentation | Attach multiple NSGs (up to 10) per VM/NIC for layered security policies |
Key Considerations
Billing & Costs
- No separate NSG pricing is published: NSGs and firewall rules do not appear as a line item in the IONOS Cloud price list, and the documentation does not state they are free or included, though no per-rule or per-NSG fee has been found in any surveyed source.
Limitations
- Maximum 200 NSGs per VDC
- Maximum 100 rules per NSG
- Maximum 10 NSGs per VM or NIC
- Default NSG cannot be deleted (one per VDC)
- Running NSGs in parallel with NIC-level firewall rules may cause conflicts
- Rules are deny-by-default (explicit allow required for all traffic)
- Stateful inspection means return traffic automatically allowed (cannot configure asymmetric rules)
Management Options
- Data Center Designer (DCD)
- NSG Manager (create, view, delete NSGs)
- Rule Manager (create, view, edit, delete rules)
- Template library for common configurations
- Cloud API and SDKs
- Terraform provider