By default, a newly created virtual machine in bwCloud-OS is accessible from the outside via:

• SSH (port 22) – for remote login and configuration
• ICMP – to allow basic network diagnostics like ping and traceroute

This initial access is explicitly permitted by the automatically assigned security group (named default) in our configuration. This is not a default behavior in OpenStack — it is provided by bwCloud-OS to simplify first-time access for users.

By default, a newly created virtual machine in bwCloud-OS is initially only accessible from the outside via SSH (port 22) and ICMP. All other inbound traffic is blocked by default — meaning external traffic on those ports cannot reach the instance.

To allow access on other ports (e.g. for web servers or applications), you need to add a rule to the relevant security group. Changes to security group rules apply immediately to all instances using that group — there's no need to reboot the instance.

If you're running a web server that should be accessible via HTTPS, you typically need to open port 443 in a security group attached to your instance.

Steps in the Dashboard:

1. In the left menu, go to Network → Security Groups. A list of all defined security groups will appear.
   • Recommended: Consider creating a dedicated security group (e.g. named https-access), and assign the group to your instance using the option Edit Security Groups in the instance menu before the next step.
2. Find the relevant group and click Manage Rules. You’ll see all currently defined rules for that group.
3. Click Add Rule to create a new one.
4. In the dialog that appears, choose one of the following:
   • HTTPS from the Rule dropdown (automatically fills port 443), or
   • Custom TCP Rule, then manually enter 443 in the Port field.
5. In the CIDR field, specify which IP addresses should be allowed to connect:
   • Use a specific IP range (e.g. 192.168.0.0/24) to limit access
   • ⚠️ Using 0.0.0.0/0 would allow access from any IPv4 address, ::/0 from any IPv6 address.
6. Set the Direction of the rule:
   • Ingress = incoming connections (usually what you want)
   • Egress = outgoing connections
7. Click Add. The rule will be created and added to the list immediately.

Yes. Some ports are centrally blocked in certain bwCloud-OS regions due to specific network policies at the participating university data centers. An individual opening of centrally blocked ports in a bwCloud-OS region for virtual machines is not possible.

For more details — including which ports are affected in each region — see this overview.

We do not offer certificates. However, your instance can obtain certificates from other institutions (e.g. Lets Encrypt) using the Cert Bot

2. Your server should not be accessible from everywhere on the internet. The entry in the field "CIDR" restricts the access to a specific network segment. Enter there the IP addresses that should be allowed.
3. In the "Direction" field you can define the direction:
   1. Ingress = Incoming connections
   2. Egress = Outgoing connections
4. Click Add, and the new rule is created. The page reloads, and the new rule appears in the list.

Yes. In the different bwCloud-OS regions, different regulations apply for the use of the networks, due to the respective data centers of the universities. An individual opening of centrally blocked ports for virtual machines in the bwCloud regions is not possible. Further information, also about the individual regions, is listed here.

We do not offer certificates. However, your instance can obtain certificates from other institutions (e.g. Lets Encrypt) using the Cert Bot.

If your own VMs are behaving "strangely", it may be that they have been hacked. In this case, please follow these steps:

1. Log in to the OpenStack Dashboard
2. Stop the affected instances - do not delete!
3. Submit a ticket Important information:

• Which instances are possibly affected?
• How can the strange behaviour be described?
• Which measures have already been implemented?
• We will contact you as soon as possible to clarify the situation.

No, the running instances are not checked for open ports or other characteristics. However, the entire bwCloud operating environment is monitored - for example, network monitoring covers current upstream and downstream traffic. If the network traffic here changes abruptly, significantly and atypically beyond normal levels, this is checked at the node and OpenStack monitoring level.

However, we do not look inside the virtual machines!