Security groups#

General information#

Security groups describe rules for traffic filtering on network interfaces of the instances connected to a subnet, thus acting as a virtual firewall.

Default security group#

A default security group is created together with a VPC. It is associated with the network interface when it is created.

Inbound rules for the default security group#

Protocol

Source

Ports

Description

All

The secuity group (sg-XXXXXXXX)

All

Enables inbound traffic from interfaces with the default security group
Outbound rules for the default security group#

Protocol

Destination

Ports

Description

All

0.0.0.0/0

All

Allows all outbound IPv4 traffic

You can change the rules of the default security group or associate your security groups with a network interface (up to five security groups per network interface). In each security group, you can define rules for both inbound and outbound traffic.

Stateful inspection#

Security Groups perform stateful traffic filtering: for each new allowed network connection, a temporary reverse rule is created automatically. This rule dynamically allows return traffic for this connection.

Note

Suppose, for example, that a web server runs on an instance in the cloud and listens to TCP port 80. The respective network interface has the associated web-sg security group, with an inbound enabling rule tcp/80, 0.0.0.0/0. The list of outbound rules is empty. When a TCP session is established between a client and web server, a temporary outbound enabling rule is created: proto: tcp, source port: 80, destination port: XXXX, destination IP: client IP, where XXXX is an ephemeral port, which the client operating system dynamically selects for the current TCP session. This rule will remain in effect until the connection is closed or the timeout expires. The length of the timeout depends on the protocol.

Operations with security groups#

Create a security group#

To create a security group, go to Virtual machines Security Security groups and click Create. In the dialog window, select a VPC, in which the security group should be created, enter the group name and description.

Optionally, you can also specify the Name tag. To add tags with arbitrary keys, click Add tags. After setting all the required parameters, confirm your choice.

After setting all the required parameters, confirm your choice.

Assign a security group to an interface#

You can assign a security group to any network interface or remove it from the assigned ones in the Security groups tab on the page of the respective interface. How to change security groups of a network interface is detailed in the respective section of documentation on network interfaces. The list of interfaces to which a specific security group was assigned can be viewed in the Network interfaces tab on the page of the respective group.

Assign tags to a security group#

To assign tags to a security group, go to its page and open the Tags tab. To add a tag, click Add tag and specify the tag key and value. If no tags have been assigned yet, then you can right away use the Add Name tag button and set its value. To assign other tags, click Add tag. Once you have set all tags, click Apply.

If necessary, you can also edit the keys and values of existing tags and delete no-longer-needed tags.

Edit the description of a security group#

To change a security group description, go to its page and open the Information tab. To change the security group name, description, and the Name tag value, edit the corresponding parameters.

Delete a security group#

You can delete a security group only if it meets the following criteria:

  • a security group is not assigned to any network interface;

  • the security group is not the default security group;

  • the security group is not set as a source or a destination in another security group.

If all the criteria for deleting a security group are met, select it from the list in the Security groups subsection or go to its page and open the Information tab and then click Delete.

Working with rules#

Add a rule#

The new rule will be automatically applied to all interfaces associated with this security group.

Attention

Rules, where the source/destination is a security group, are limited to a single availability zone. If you want to permit traffic between network interfaces located in different availability zones, specify IP addresses as the sources/destinations in the permitting rules.

Attention

There can be no more than 50 inbound or outbound rules in each security group.

Note

If a security group is associated with a network interface, which has disabled sourceDestCheck parameter, you cannot use this security group as a source in either its own or inbound rules in other security groups.

To add an inbound or outbound rule to a particular security group:

  1. Go to Virtual machines Security Security groups.

  2. Find the security group in the resource table and click its ID to go to the group page.

  3. Open the required Inbound rules or Outbound rules tab and click Add.

  4. In the dialog window, set the required parameters:

    • Rule description (optional).

    • Protocol — You can set the rule for all protocols or select a specific protocol from the list. If there is no required protocol on the list, select Other.

      • Protocol number — If the protocol is not on the list, set its number according to IANA.

      • Port access — For TCP and UDP, specify whether all or specific ports can be accessed.

      • Ports — If you select access to only some ports, specify a comma-separated list of ports and/or port ranges.

        Note

        A separate rule will be created for each port or port range in the list.

    • Grant Access — You can grant access from all IP addresses, a particular network, or security group.

      • Network — If you select From Network, specify the network in CIDR notation.

      • Security group — If you select From security group, select a security group from the drop-down list.

  5. Once all parameters are set, click Add to create a rule.

Modify a rule#

You can change any rule parameters except for the source type from which access is allowed (network or security group). To modify an inbound or outbound rule in a specific security group:

  1. Go to Virtual machines Security Security groups.

  2. Find the security group in the resource table and click its ID to go to the group page.

  3. Open the required Inbound Rules or Outbound Rules tab, select the rule to be modified in the resource list, and click Modify.

  4. In the dialog window, you can edit the following parameters:

    • Rule description.

    • Protocol — Instead of the protocol in use you can set an arbitrary one or select all protocols. If there is no required protocol on the list, select Other.

      • Protocol number — If the protocol is not on the list, set its number according to IANA.

      • Port access — For TCP and UDP, you can change whether all or specific ports can be accessed.

      • Ports — If access only to specific ports has been selected, you can specify a different port or port range.

    • Network/Security group — If access was granted from a network or from all addresses, you can specify a different network, including that you can grant access from everywhere (0.0.0.0.0/0). If access was granted from a security group, you can select a different security group.

  5. Once the parameters are edited, click Change to save the rule.

Delete a rule#

You can delete several rules simultaneously.

  1. Go to Virtual machines Security Security groups.

  2. Find the security group in the resource table and click its ID to go to the group page.

  3. Open the required Inbound rules or Outbound rules tab, select the rule(s) to be deleted in the resource list, and click Delete.

  4. To confirm the action, click Delete.

Security group information#

For general information about the existing security groups, see the Security groups subsection. To view all security groups in the project, select All VPC in the VPC filter. To display security groups from a particular VPC, select the desired VPC in the filter.

To view detailed information about a particular security group, go to Virtual machines Security Security groups and select the desired security group from the list. To facilitate the group search in the table, select its relevant VPC in the VPC filter or use the table search.

Once you have selected the desired security group, click its ID. The group page provides group information, inbound and outbound rule lists, details of the network interfaces which the group is associated with, and tag details.

The Information tab displays the security group name and description, the Name tag value (if assigned), the number of network interfaces which the group is associated with, and the VPC in which it was created. You can also change the group description or delete it.

In the Inbound rules tab, you can view the list of inbound rules. You can add or delete a rule, as well as change its description.

In the Outbound rules tab, you can view the list of outbound rules. You can add or delete a rule, as well as change its description.

The Interfaces tab displays information about the network interfaces which this group is associated with.

In the Tags tab, you can view tags assigned to the security group. You can add, change and delete tags.