In this article:
Security groups describe rules for traffic filtering on network interfaces of the instances connected to a subnet, thus acting as a virtual firewall.
Default security group#
default security group is created together with a VPC. It is associated with the network interface when it is created.
The secuity group (sg-XXXXXXXX)
Enables inbound traffic from interfaces with the default security group
Allows all outbound IPv4 traffic
You can change the rules of the default security group or associate your security groups with a network interface (up to five security groups per network interface). In each security group, you can define rules for both inbound and outbound traffic.
Security Groups perform stateful traffic filtering: for each new allowed network connection, a temporary reverse rule is created automatically. This rule dynamically allows return traffic for this connection.
Suppose, for example, that a web server runs on an instance in the cloud and listens to TCP port 80. The respective network interface has the associated
web-sg security group, with an inbound enabling rule
tcp/80, 0.0.0.0/0. The list of outbound rules is empty. When a TCP session is established between a client and web server, a temporary outbound enabling rule is created:
proto: tcp, source port: 80, destination port: XXXX, destination IP: client IP, where
XXXX is an ephemeral port, which the client operating system dynamically selects for the current TCP session. This rule will remain in effect until the connection is closed or the timeout expires. The length of the timeout depends on the protocol.
Operations with security groups#
Create a security group#
To create a security group, go to the Security Groups section and click Create. In the dialog window, select a VPC, in which the security group should be created, enter the group name and description.
Optionally, you can also specify the Name tag. To add tags with arbitrary keys, click Add tags. After setting all the required parameters, confirm your choice.
After setting all the required parameters, confirm your choice.
Assign a security group to an interface#
You can assign a security group to any network interface or remove it from the assigned ones in the Security groups tab on the page of the respective interface. How to change security groups of a network interface is detailed in the respective section of documentation on network interfaces. The list of interfaces to which a specific security group was assigned can be viewed in the Network interfaces tab on the page of the respective group.
Edit the description of a security group#
To change a security group description, go to its page and open the Information tab. To change the security group name, description, and the Name tag value, edit the corresponding parameters.
Delete a security group#
You can delete a security group only if it meets the following criteria:
a security group is not assigned to any network interface;
the security group is not the default security group;
the security group is not set as a source or a destination in another security group.
If all the criteria for deleting a security group are met, select it from the list in the Security Groups section or go to its page and open the Information tab and then click Delete.
Working with rules#
Add a rule#
To add an inbound or outbound rule, click Add in a respective tab on the security group page and specify the required access parameters. The new rule is automatically applied to all interfaces associated with this security group.
Rules, where the source/destination is a security group, are limited to a single availability zone. If you want to permit traffic between network interfaces located in different availability zones, specify IP addresses as the sources/destinations in the permitting rules.
There can be no more than 50 inbound or outbound rules in each security group.
If a security group is associated with a network interface, which has disabled
sourceDestCheck parameter, you cannot use this security group as a source in either its own or inbound rules in other security groups.
Edit a rule description#
To change the rule description, go to the security group page and open the appropriate tab: Inbound rules or Outbound rules. Select a rule from the list and click Edit description. In the dialog window, edit the description (or add it if there was no description).
Delete a rule#
To delete an inbound or outbound rule, select the rule from the list in the respective tab on the security group page and click Delete. After confirmation, the rule will be deleted. You may delete several rules simultaneously.
Security group information#
For general information about the existing security groups, see the Security groups section. To view all security groups in the project, select All VPC in the VPC filter. To display security groups from a particular VPC, select the desired VPC in the filter.
To view detailed information about a particular security group, go to the Security groups section and select the desired security group from the list. To facilitate the group search in the table, select its relevant VPC in the VPC filter or use the table search.
Once you have selected the desired security group, click its ID. The group page provides group information, inbound and outbound rule lists, details of the network interfaces which the group is associated with, and tag details.
The Information tab displays the security group name and description, the Name tag value (if assigned), the number of network interfaces which the group is associated with, and the VPC in which it was created. You can also change the group description or delete it.
The Interfaces tab displays information about the network interfaces which this group is associated with.
In the Tags tab, you can view tags assigned to the security group. You can add or change tags.