OVERVIEW
A security group consists of network access rules that govern the incoming and outgoing traffic for virtual machines assigned to it. Through security group rules, you can define the type and direction of traffic permitted to access a virtual interface port. Any traffic that fails to meet the criteria of these rules is automatically blocked.
Each project comes with a default security group, created by default within the compute cluster. This default group grants unrestricted access across all ports and protocols and cannot be removed. When attaching a network interface to a VM, the interface is linked to the default security group unless a custom security group is specifically chosen.
You can assign multiple security groups to both new and existing virtual machines. Any additions or deletions of rules within these security groups are applied immediately, ensuring that changes take effect in real time.
Limitations:
You can manage only IPv4 security group rules.
Creating Security Group
- On the Security Groups screen, click Add security group.
- In the Add security group window, specify a name and description for the group, and then click Add.
By default, the new security group will deny all incoming traffic and allow only outgoing traffic to assigned virtual machines.
Deleting Security Group
- On the Security Groups screen, click the required security group.
- On the group right pane, click Delete.
- Click Delete in the confirmation window.
Managing Security Group Rules
You can modify security groups by adding and removing rules. Editing rules is not available. If you need to change the existing rule, remove it and recreate it with the required parameters.
Prerequisites:
- You have a security group created, as described in Creating and Deleting Security Groups.
Adding Rule to Security Group
- On the Security groups screen, click the security group to add a rule to.
- On the group right pane, click Add in the Inbound or Outbound section to create a rule for incoming or outgoing traffic.
- Specify the rule parameters:
- Select a protocol from the list or enter a number from 0 to 255.
- Enter a single port or a port range. Some protocols already have a predefined port range. For example, the port for SSH is 22.
- Select a predefined subnet CIDR or an existing security group.
- Click the check mark to save the changes.
As soon as the rule is created, it is applied to all of the virtual machines assigned to the security group.
Removing Rule from Security Group
- On the Security Groups screen, click the required security group.
- On the group right pane, click the bin icon next to a rule you want to remove.
As soon as the rule is removed, this change is applied to all of the virtual machines assigned to the security group.
Changing Security Group Assignment
When you create a VM, you select security groups for the VM network interfaces. You can also change assigned security groups later.
Limitations:
- You cannot configure security groups if spoofing protection or IP address management are disabled for the selected network.
Viewing Virtual Machines Assigned to Security Group
- On the Security groups screen, click the required security group.
- On the group right pane, navigate to the Assigned VMs tab. All the assigned virtual machines will be shown along with their status.
You can click the VM name to go to the VM Overview pane and change the security group assignment for its network interfaces.
Assigning Security Group to Virtual Machine
- On the Virtual machines screen, click the required virtual machine.
- On the Overview tab, click the pencil icon in the Networks section.
- Click the ellipsis icon next to the network interface to assign a security group to, and then click Edit.
- In the Edit network interface window, go to the Security groups tab.
- Select one or more security groups from the drop-down list, and then click Save.
The rules from chosen security groups will be applied at runtime.