Security groups#

General information#

Security groups describe rules for traffic filtering on network interfaces of the instances connected to a subnet, thus acting as a virtual firewall.

Default security group#

A default security group is created together with a VPC. It is associated with the network interface when it is created.

Inbound rules for the default security group#

Protocol

Source

Ports

Description

All

The secuity group (sg-XXXXXXXX)

All

Enables inbound traffic from interfaces with the default security group

Outbound rules for the default security group#

Protocol

Destination

Ports

Description

All

0.0.0.0/0

All

Allows all outbound IPv4 traffic

You can change the rules of the default security group or associate your security groups with a network interface (up to five security groups per network interface). In each security group, you can define rules for both inbound and outbound traffic.

Stateful inspection#

Security Groups perform stateful traffic filtering: for each new allowed network connection, a temporary reverse rule is created automatically. This rule dynamically allows return traffic for this connection.

Note

Suppose, for example, that a web server runs on an instance in the cloud and listens to TCP port 80. The respective network interface has the associated web-sg security group, with an inbound enabling rule tcp/80, 0.0.0.0/0. The list of outbound rules is empty. When a TCP session is established between a client and web server, a temporary outbound enabling rule is created: proto: tcp, source port: 80, destination port: XXXX, destination IP: client IP, where XXXX is an ephemeral port, which the client operating system dynamically selects for the current TCP session. This rule will remain in effect until the connection is closed or the timeout expires. The length of the timeout depends on the protocol.

Operations with security groups#

Create a security group#

To create a security group, go to the Security Groups section and click Create. In the dialog window, select a VPC, in which the security group should be created, enter the group name and description.

Optionally, you can also specify the Name tag. To add tags with arbitrary keys, click Add tags. After setting all the required parameters, confirm your choice.

After setting all the required parameters, confirm your choice.

Assign a security group to an interface#

You can assign a security group to any network interface or remove it from the assigned ones in the Security groups tab on the page of the respective interface. How to change security groups of a network interface is detailed in the respective section of documentation on network interfaces. The list of interfaces to which a specific security group was assigned can be viewed in the Network interfaces tab on the page of the respective group.

Assign tags to a security group#

To assign tags to a security group, go to its page and open the Tags tab. To add a tag, click Add tag and specify the tag key and value. If no tags have been assigned yet, then you can right away use the Add Name tag button and set its value. To assign other tags, click Add tag. Once you have set all tags, click Apply.

If necessary, you can also edit the keys and values of existing tags and delete no-longer-needed tags.

Edit the description of a security group#

To change a security group description, go to its page and open the Information tab. To change the security group name, description, and the Name tag value, edit the corresponding parameters.

Delete a security group#

You can delete a security group only if it meets the following criteria:

  • a security group is not assigned to any network interface;

  • the security group is not the default security group;

  • the security group is not set as a source or a destination in another security group.

If all the criteria for deleting a security group are met, select it from the list in the Security Groups section or go to its page and open the Information tab and then click Delete.

Working with rules#

Add a rule#

To add an inbound or outbound rule, click Add in a respective tab on the security group page and specify the required access parameters. The new rule is automatically applied to all interfaces associated with this security group.

Attention

Rules, where the source/destination is a security group, are limited to a single availability zone. If you want to permit traffic between network interfaces located in different availability zones, specify IP addresses as the sources/destinations in the permitting rules.

Attention

There can be no more than 50 inbound or outbound rules in each security group.

Note

If a security group is associated with a network interface, which has disabled sourceDestCheck parameter, you cannot use this security group as a source in either its own or inbound rules in other security groups.

Edit a rule description#

To change the rule description, go to the security group page and open the appropriate tab: Inbound rules or Outbound rules. Select a rule from the list and click Edit description. In the dialog window, edit the description (or add it if there was no description).

Delete a rule#

To delete an inbound or outbound rule, select the rule from the list in the respective tab on the security group page and click Delete. After confirmation, the rule will be deleted. You may delete several rules simultaneously.

Security group information#

For general information about the existing security groups, see the Security groups section. To view all security groups in the project, select All VPC in the VPC filter. To display security groups from a particular VPC, select the desired VPC in the filter.

To view detailed information about a particular security group, go to the Security groups section and select the desired security group from the list. To facilitate the group search in the table, select its relevant VPC in the VPC filter or use the table search.

Once you have selected the desired security group, click its ID. The group page provides group information, inbound and outbound rule lists, details of the network interfaces which the group is associated with, and tag details.

The Information tab displays the security group name and description, the Name tag value (if assigned), the number of network interfaces which the group is associated with, and the VPC in which it was created. You can also change the group description or delete it.

In the Inbound rules tab, you can view the list of inbound rules. You can add or delete a rule, as well as change its description.

In the Outbound rules tab, you can view the list of outbound rules. You can add or delete a rule, as well as change its description.

The Interfaces tab displays information about the network interfaces which this group is associated with.

In the Tags tab, you can view tags assigned to the security group. You can add or change tags.