Skip firewall setup for custom os_images

Author: jvstme

docs/docs/concepts/backends.md

@@ -243,6 +243,7 @@ There are two ways to configure AWS: using an access key or using the default cr
         * `user` with passwordless sudo access
         * Docker is installed
         * (For NVIDIA instances) NVIDIA/CUDA drivers and NVIDIA Container Toolkit are installed
+        * The firewall (`iptables`, `ufw`, etc.) must allow external traffic to port 22 and all traffic within the private subnet, and should forbid any other incoming external traffic.
 
 ## Azure
 

src/dstack/_internal/core/backends/aws/compute.py

@@ -292,7 +292,12 @@ def create_instance(
                         image_id=image_id,
                         instance_type=instance_offer.instance.name,
                         iam_instance_profile=self.config.iam_instance_profile,
-                        user_data=get_user_data(authorized_keys=instance_config.get_public_keys()),
+                        user_data=get_user_data(
+                            authorized_keys=instance_config.get_public_keys(),
+                            # Custom OS images may lack ufw, so don't attempt to set up the firewall.
+                            # Rely on security groups and the image's built-in firewall rules instead.
+                            skip_firewall_setup=self.config.os_images is not None,
+                        ),
                         tags=aws_resources.make_tags(tags),
                         security_group_id=security_group_id,
                         spot=instance_offer.instance.resources.spot,