Known service limitations


Our firewall service is a multi-tenant service, meaning the firewall instances you create in the customer portal are hosted on hardware shared with other clients. There are no bps or pps guaranties. In the best-case scenario, a single virtual instance can pass through 5 Gbps of traffic. Please contact your account manager if you need a dedicated firewall installation for yourself.

For dedicated servers only 

Our firewall service works with dedicated servers only. Cloud servers can't be protected by the firewall service at the moment.

Public network only 

All of our servers are connected to three different networks – the public network (Internet), the global private network, and the out-of-band management network (see Network environment overview). The firewall works in the public network.

Limited compatibility with L2 segments 

All links to public L2 segments should be tagged trunks.

For each firewall instance (i.e., a firewall created in the Firewalls section of the customer portal), a VXLAN is created. For all hosts behind the firewall, the firewall's VXLAN is native. That is why hosts staying behind the firewall can't have native links with public L2 segments created by a client in the L2 segments section of the customer portal, only trunks.

IPv6 support due to being added

There is no IPv6 support at the moment. IPv6 networks should be removed from a host before it can be placed behind the firewall.

All public IPv4 aliases and additional networks of a host are protected

For a host placed behind the firewall, all its public IPv4 aliases and networks assigned to the agge network interface are placed behind the firewall.

Modification times

On average, it takes 1 minute to move a host behind or remove it from behind the firewall (i.e., to or out of a protected VXLAN). During the move, packet loss occurs on the public network interface of a host. The time may significantly exceed 1 minute, depending on the length of the queue on network equipment.

Adding or removing of multiple hosts at once is equivalent to adding or removing them one by one. The processing time increases proportionally with the number of hosts.

We encourage you not to count on the average time, and to free hosts from working load before moving them behind the firewall.


Suggested Articles

  • Firewall

    Creating a firewall instance

  • Firewall

    Getting Started with Firewall