Lobster Cloud uses AWS Security Groups as virtual firewalls to control all incoming and outgoing network traffic to your system. This page explains how Security Groups work, what restrictions apply, and how to request changes.
How firewall Security Groups work
Each Lobster Cloud system component (OIS server, DMZ server, DEV server) has its own dedicated AWS Security Group. A Security Group acts as a stateful firewall that evaluates traffic based on defined rules before allowing or denying access.
Aspect | Details |
|---|---|
Scope | Each system component has its Security Group with individual rules. |
Stateful | If an incoming connection is allowed, the response traffic is automatically permitted without requiring a separate outgoing rule. |
Evaluation | All rules are evaluated before a decision is made. If no rule matches, the traffic is denied by default. |
Default configuration
Direction | Default behavior |
|---|---|
Incoming traffic | Closed by default. Only explicitly authorized IP addresses and ports are permitted. |
Outgoing traffic | Open by default. Your system can communicate with external endpoints (partner systems, APIs, services) without restriction. |
The following ports are publicly accessible by default on every system:
Port | Protocol | Restriction |
|---|---|---|
80 | HTTP | Limited to Let's Encrypt certificate validation only. All other HTTP traffic is redirected to Port 443. |
443 | HTTPS | Open for web services, platform login, and AS2 communication. |
All other ports are closed by default and must be explicitly requested.
Rule format and restrictions
Restriction | Details |
|---|---|
Maximum rules | 960 firewall rules per system. |
IP-based only | Only IP addresses can be used in Security Group rules. DNS names are not supported. |
No customer self-service | You cannot modify Security Groups directly. All changes must be requested via support ticket. |
No additional Security Groups | You cannot add new Security Groups to your environment. Only the Security Groups created during provisioning are available. |
Requesting firewall changes
To request a firewall rule change, submit a support ticket to support@lobster.de with the following information:
Required information | Description |
|---|---|
System | Which system the rule applies to (production, test, DMZ, DEV). |
Direction | Whether the rule is for incoming or outgoing traffic. |
Port | The port number to open or close. |
IP address(es) | authorize |
Protocol | TCP, UDP, or both. |
Purpose | A brief description of the communication partner and use case. |
Info
The Lobster Cloud Operations team processes firewall change requests during standard service hours (Monday to Friday, 08:00 to 17:00 UTC+1/+2).
Important considerations
Your local firewall
When Lobster opens a port in the AWS Security Group, your communication partner must also have the corresponding port open in their local firewall. A common source of connectivity issues is that the port is open on the Lobster Cloud side but blocked on the partner or customer side.
IP Address Changes
If the IP address of one of your communication partners changes, you must submit a new firewall change request. The old rule with the previous IP address should be removed at the same time to keep your rule set clean and within the 960-rule limit.
Outgoing connections
Outgoing connections from your Lobster Cloud system are open by default. You do not need to request a firewall rule for outgoing traffic. However, the destination system must allow incoming connections from your Lobster Cloud system's public IP address.
VPN traffic
VPN traffic is controlled by the VPN routing configuration and security group rules.