Security Group on a VM
A Security Group is a network-layer firewall you manage — it decides which traffic is allowed in and out of a VM. You can attach multiple Security Groups to a single VM; their rules are merged (OR logic).
This page covers attaching/detaching Security Groups on a VM. To define new port rules, see Security Group.
When to change Security Groups?
- Open a new port for an application (for example, port 8080 for a web app).
- Restrict SSH to a fixed source IP.
- Separate production VMs from development with different firewall groups.
Steps
Step 1. Open the VM detail page
Go to Cloud Server → Servers and click the VM.
Step 2. Open the Security group tab
Click the Security group tab (or the Security group button at the top right of the detail page). The Security group đã thiết lập table lists, per Network Interface (by IP), the Security Groups attached — shown as chips, e.g. Default.
Step 3. Attach or remove a Security Group
- Attach: click + Thêm security group, pick a group from the Chọn security group dropdown, then click Thêm.
- Remove: click the × on the Security Group chip.
The change applies immediately — no VM reboot needed. Existing connections that no longer match a rule may be cut; new connections honour the new configuration.
- One Security Group per workload type (web, db, internal) instead of a single SG for the whole account.
- Avoid
0.0.0.0/0for admin ports (SSH, RDP, DB) — open them only to specific IPs. - Before detaching a Security Group that currently holds your SSH session, make sure you can still reach the VM via Portal Console in case you lock yourself out.