Building VMs with Firewall Sets

NetActuate firewall sets can be applied to a VM at build time using the firewall_set_list parameter. The firewall is active from the moment the VM is created — traffic is filtered before the VM is reachable via SSH.

Prerequisites

Firewall feature must be enabled on your account. Contact support to enable it.
Firewall sets must be created before the build call.

Step 1: Create a Firewall Set

Create a firewall set via Networking > Firewall > + New Set in the portal, or via the API:

curl -X POST https://vapi2.netactuate.com/api/firewall/sets \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Web Server Baseline",
    "description": "Allow 80/443 inbound, drop everything else",
    "enabled": 1
  }'

Note the id returned — you will pass it in the build call.

Step 2: Add Rules to the Set

curl -X POST https://vapi2.netactuate.com/api/firewall/sets/42/rules \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "ip_version": "IPv4",
    "direction": "IN",
    "action": "ACCEPT",
    "enabled": 1,
    "match_criteria": {
      "protocol": "tcp",
      "source_net": ["0.0.0.0/0"],
      "destination_port_start": 443,
      "destination_port_end": 443
    },
    "rule_priority": 1
  }'

Repeat for each rule. See Firewall API Reference for the full rule schema.

Step 3: Build the VM with the Firewall Set

Pass one or more firewall set IDs in firewall_set_list:

curl -X POST https://vapi2.netactuate.com/api/build \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "mbpkgid": 1001,
    "location": 12,
    "image": 203,
    "fqdn": "web01.example.com",
    "ssh_key_id": 88,
    "package_billing": "monthly",
    "firewall_set_list": [42, 57]
  }'

Multiple sets are applied in order. All sets apply to the primary network interface (eth0).

Step 4: Sync Rules After Changes

If you update firewall rules after the VM is built, sync the changes:

curl -X POST https://vapi2.netactuate.com/api/firewall/sets/42/vm/sync-all \
  -H "Authorization: Bearer YOUR_API_KEY"

Using Firewall Sets with Ansible

Read the firewall set ID from a variable and pass it at node creation:

- name: Provision VM with firewall set
  netactuate.compute.node:
    auth_token: "{{ auth_token }}"
    hostname: "{{ inventory_hostname }}"
    plan: "{{ plan }}"
    location: "{{ location }}"
    image: "Ubuntu 24.04 LTS (20240423)"
    ssh_key_id: "{{ ssh_key_id }}"
    firewall_set_list: "{{ firewall_set_ids }}"
    state: present

Add firewall_set_ids to group_vars/all as a list of integers.

Need Help?

If you need assistance, visit our support page.

Prerequisites​

Step 1: Create a Firewall Set​

Step 2: Add Rules to the Set​

Step 3: Build the VM with the Firewall Set​

Step 4: Sync Rules After Changes​

Using Firewall Sets with Ansible​

Related Resources​

Need Help?​