By default, a newly created virtual machine in bwCloud-OS is initially only accessible from the outside via SSH (port 22). This behavior is controlled by the assigned security group, named default. All other ports are blocked by default — meaning external traffic on those ports cannot reach the instance.

To allow access on other ports (e.g. for web servers or applications), you need to add a rule to the relevant security group. Changes to security group rules apply immediately to all instances using that group — there's no need to reboot the instance.

.

If you're running a web server that should be accessible via HTTPS, you typically need to open port 443 in the security group attached to your instance.

1. In the left menu, go to Network → Security Groups. A list of all defined security groups will appear.
   • Recommended: If not already done, consider creating a dedicated security group (e.g. named https-access) and , assign the group to your instance before step 2.
2. Find the relevant group and click Manage Rules. You’ll see all currently defined rules for that group.
3. Click Add Rule to create a new one.
4. In the dialog that appears, choose one of the following:
   • HTTPS from the Rule dropdown (automatically fills port 443), or
   • Custom TCP Rule, then manually enter 443 in the Port field.
5. In the CIDR field, specify which IP addresses should be allowed to connect:
   • Use a specific IP range (e.g. 192.168.0.0/24) to limit access
   • ⚠️ Not recommended: 0.0.0.0/0 would allow access from any IPv4 address, ::/0 from any IPv6 address.
6. Set the Direction of the rule:
   • Ingress = incoming connections (usually what you want)
   • Egress = outgoing connections
7. Click Add. The rule will be created and added to the list immediately.

Yes. In the different bwCloud-OS regions, different regulations apply for the use of the networks, due to the respective data centers of the universities. An individual opening of centrally blocked ports for virtual machines in the bwCloud regions is not possible. Further information, also about the individual regions, is listed here.

We do not offer certificates. However, your instance can obtain certificates from other institutions (e.g. Lets Encrypt) using the Cert Bot

2. Your server should not be accessible from everywhere on the internet. The entry in the field "CIDR" restricts the access to a specific network segment. Enter there the IP addresses that should be allowed.
3. In the "Direction" field you can define the direction:
   1. Ingress = Incoming connections
   2. Egress = Outgoing connections
4. Click Add, and the new rule is created. The page reloads, and the new rule appears in the list.

Yes. In the different bwCloud-OS regions, different regulations apply for the use of the networks, due to the respective data centers of the universities. An individual opening of centrally blocked ports for virtual machines in the bwCloud regions is not possible. Further information, also about the individual regions, is listed here.

We do not offer certificates. However, your instance can obtain certificates from other institutions (e.g. Lets Encrypt) using the Cert Bot.

If your own VMs are behaving "strangely", it may be that they have been hacked. In this case, please follow these steps:

1. Log in to the OpenStack Dashboard
2. Stop the affected instances - do not delete!
3. Submit a ticket Important information:

• Which instances are possibly affected?
• How can the strange behaviour be described?
• Which measures have already been implemented?
• We will contact you as soon as possible to clarify the situation.

No, the running instances are not checked for open ports or other characteristics. However, the entire bwCloud operating environment is monitored - for example, network monitoring covers current upstream and downstream traffic. If the network traffic here changes abruptly, significantly and atypically beyond normal levels, this is checked at the node and OpenStack monitoring level.

However, we do not look inside the virtual machines!