The FirewallGroup node allows you to define a virtual firewall that controls the traffic for one or more Server nodes defined in your blueprint template.

The FirewallGroup node is defined with a section name, a type and properties.

section name

Example: vm_firewall_rules:


type: dcm.nodes.FirewallGroup


The following node properties are supported when defining a FirewallGroup node in a blueprint template:

  • name - firewall name
  • cloud - cloud where the firewall will be created in
  • cloudAccountID - cloud account of the cloud
  • region - region in the cloud where the firewall will be created in
  • zone - data center in the cloud region where the firewall will be created in
  • rules - one or more firewall rules defined with a - remote_ip_prefix: statement, port: statement and protocol: statement.
  • - remote_ip_prefix: - specifies the CIDR/IP range for the firewall rule
  • port: - specifies the port to open for the firewall rule
  • protocol: - specifies the protocol for the port (TCP or UDP. TCP is the default)


If you will be launching servers in a VPC you will need to specify requirements with a relationship to the VPC network.

    - network: vpc_network                                      # substitute vpc_network with the label name of the network in the template
        relationship_type: tosca.relationships.DependsOn

Refer to Example of launching a server in a private network with a firewall requirement on the private network for more information.


  type: dcm.nodes.FirewallGroup
    name: { func_join: ["-", ["fw", { get_input: name }]]}
    cloud: { get_input: [account_region_zone_selector, cloud] }              # Retrieve the cloud from the AccountRegionSelector 
    cloudAccountId: { get_input: [account_region_zone_selector, accountId] } # Retrieve the cloud account ID from the AccountRegionSelector  
    region: { get_input: [account_region_zone_selector, region] }            # Retrieve the region from the AccountRegionSelector 
    zone: { get_input: [account_region_zone_selector, zone] }                # Retrieve the zone from the AccountRegionSelector  
      - remote_ip_prefix:
        port: 22
      - remote_ip_prefix:
        port: 80
      - remote_ip_prefix:
        port: 443
      - remote_ip_prefix:
        protocol: UDP 
        port: 137    


In the example above func_join and get_input are internal functions. Refer to Internal functions for more details.