[Avamander]

> You have to protect each server individually with its own in-machine firewall.

That's the standard practice?

OVH's own firewall is for DDoS/DoS protection, not for fine-grained security, did I understand OVH's information incorrectly?

[justinclift]

Ouch. That probably means there's a metric shit tonne of VMs running Docker with open ports in their data centres.

Saying that because (by default) Docker screws with firewall rules on the VM when it starts up, to allow other hosts to communicate with the containers.

In other hosting environments, the workaround is to apply firewall rules to your VMs using the hosting infrastructure capabilities. eg separate to the iptables (etc) rules on each host

[dylz]

Yes. There are two different products: VAC, which is for DDoS protection, and general SDN firewall/security groups which is only OVHcloud (not dedicated servers).

In the most general case, it seems other customers can actually send DDoS/volumetric traffic toward you from within OVH and it doesn't get picked up.