Cloud Firewalls

Network security that enforces at the edge.

Stateful packet inspection applied at the network edge — before traffic ever reaches your instances. Define granular allow/deny rules by IP range, port, or protocol, and propagate changes across your entire fleet in under 500ms.

Stateful filtering · DDoS mitigation · Rule propagation < 500ms · IPv4 + IPv6 · eBPF enforcement

Defense in Depth

Four layers of protection.

Security is not a single product — it's a strategy. Our multi-layered approach protects your infrastructure at every level.

Edge Network

DDoS mitigation, bot detection, geographic blocking100% of traffic

VPC Perimeter

Stateful firewall, network ACLs, flow loggingAll instances

Instance Level

Host-based firewall, intrusion detection, file integrityPer-instance opt-in

Application Level

WAF rules, API rate limiting, payload inspectionHTTP/HTTPS traffic

Features

Enterprise-grade security.

Every feature is designed to protect your infrastructure while maintaining high performance and ease of use.

Stateful Packet Inspection

Deep packet inspection that tracks connection state. Allow established connections while blocking unauthorized inbound traffic automatically.

DDoS Protection

Automatic mitigation of volumetric attacks at the edge. Absorbs attacks up to 2 Tbps without impacting your infrastructure.

Sub-500ms Propagation

Rule changes propagate across all edge nodes in under 500 milliseconds. No waiting minutes for security updates to take effect.

Zero-Trust Architecture

Default-deny posture with explicit allow rules. Every connection is authenticated and authorized, regardless of origin.

Micro-segmentation

Isolate workloads within your VPC with east-west traffic filtering. Compromised instances can't lateral move to other resources.

Real-time Threat Detection

ML-powered anomaly detection identifies suspicious traffic patterns. Automated responses block threats before they reach your instances.

Rule Configuration

Flexible rule definitions.

Define security policies that match your exact requirements with granular control over traffic flow.

Inbound Rules

Control traffic entering your instances. Define allowed source IPs, ports, and protocols with granular precision.

Allow SSH from office IP

Allow HTTPS from anywhere

Allow PostgreSQL from VPC only

Outbound Rules

Restrict what your instances can access externally. Prevent data exfiltration and unauthorized API calls.

Allow HTTPS to anywhere

Block all SMTP

Allow DNS to 8.8.8.8

Application Rules

Layer 7 filtering based on application protocols. Inspect HTTP headers, rate limit APIs, and block malicious payloads.

Rate limit /api/login

Block SQL injection patterns

Require TLS 1.3

Threat Protection

Mitigate attack vectors.

Automatic protection against the most common types of network attacks and abuse.

Volumetric Attacks

UDP floods, ICMP floods, and other bandwidth saturation attempts

Absorbed at edge, never reach your instances

Protocol Attacks

SYN floods, fragmented packet attacks, Ping of Death

Stateful inspection drops malformed packets

Application Attacks

HTTP floods, Slowloris, SQL injection attempts

Layer 7 filtering and rate limiting

Credential Stuffing

Automated login attempts using stolen credentials

Rate limiting and CAPTCHA challenges

Compliance

Meet regulatory requirements.

Our security controls map to major compliance frameworks, making audits straightforward.

PCI-DSS

Network segmentation
Traffic encryption
Access logging
Vulnerability scanning

SOC 2

Change management
Audit trails
Monitoring alerts
Incident response

ISO 27001

Risk assessment
Security policies
Asset management
Business continuity

NDPR

Data residency
Breach notification
Privacy controls
Consent management

Observability

See everything. Miss nothing.

Comprehensive logging and monitoring to detect, investigate, and respond to security events.

Flow Logs

Capture metadata for every packet: source, destination, protocol, action taken. Stored for 30 days with export options.

Real-time Monitoring

Live dashboard showing blocked attempts, traffic patterns, and geographic distribution of requests.

Alerting

Configure alerts for suspicious activity. Webhook, email, or Slack notifications when thresholds are exceeded.

SIEM Integration

Export logs to Splunk, Datadog, or your SIEM of choice. Native integrations with popular security platforms.

Automation

Configure via CLI.

Manage firewalls programmatically. Create rules, view logs, and monitor traffic from your terminal or CI/CD pipelines.

Infrastructure-as-code support
Terraform provider available
Audit trail for all changes
Bulk rule import/export

nubis-cli

# Create a new firewall

$ nubis firewall create --name web-tier --vpc main

# Allow HTTPS traffic

$ nubis firewall rule add --firewall web-tier --port 443 --source 0.0.0.0/0

# Restrict SSH to internal

$ nubis firewall rule add --firewall web-tier --port 22 --source 10.0.0.0/8

# View live firewall logs

$ nubis firewall logs --firewall web-tier --tail

Pricing

Security at every budget.

Start free and scale as your security requirements grow. No hidden fees or surprise charges.

Standard

Free

Included with every instance

Stateful firewall rules
DDoS protection (up to 10 Gbps)
Flow logging (7 days)
Email alerts
IPv4 & IPv6 support

Get Started

Advanced

$49/mo

Per VPC

Everything in Standard
DDoS protection (up to 100 Gbps)
WAF rules
Bot management
Geographic blocking
Flow logging (30 days)
Webhook alerts