Security Group
A Security Group is a set of firewall rules attached to a VM (or a Network Interface) to control traffic. Properties:
- Stateful — replies to allowed connections pass through automatically; no return-rule needed.
- Default deny on Ingress — only traffic matching a rule is allowed in.
- Default allow on Egress in the default Security Group — VMs can call out freely.
- Additive when multiple SGs are attached — rules across all SGs are OR-combined.
Create a Security Group
Step 1. Open the Security Group page
Go to Network → Security Group and click + Create Security Group.
Step 2. Name and describe
Name by role (web-public, db-private, bastion-only…) and add a short description.
The new Security Group ships with a default Egress rule (allow everything outbound) — you only need to add Ingress rules for the ports you want to open.
Add a rule to a Security Group
Step 1. Open the SG detail page
Click the SG name in the list.
Step 2. Create a rule
Click + Create rule.
Step 3. Configure the rule
| Field | Meaning | Example |
|---|---|---|
| Protocol | TCP, UDP, ICMP | TCP |
| Direction | Ingress (in) or Egress (out) | Ingress |
| Port / Port Range | Destination port of the packet | 22 or 8000-9000 |
| Remote — CIDR | Source/destination IP range | 0.0.0.0/0 or 203.0.113.10/32 |
| Remote — Security Group | Allow traffic from VMs in another SG | sg-app-tier |
| Description | Note | SSH from office |
Click Confirm.
Step 4. Verify the rule
The new rule shows up in the Rules tab and applies immediately to every VM that has this SG attached.
Common rule sets
Public web server
| Direction | Protocol | Port | Remote | Purpose |
|---|---|---|---|---|
| Ingress | TCP | 80 | 0.0.0.0/0 | HTTP |
| Ingress | TCP | 443 | 0.0.0.0/0 | HTTPS |
| Ingress | TCP | 22 | <office-IP>/32 | SSH from the office only |
Internal database
| Direction | Protocol | Port | Remote | Purpose |
|---|---|---|---|---|
| Ingress | TCP | 3306 | sg-app-tier | MySQL only from app servers |
| Ingress | TCP | 22 | sg-bastion | SSH only through the bastion |
There is no rule opening 3306 to 0.0.0.0/0 — the database is never exposed to the Internet.
Bastion / jump host
| Direction | Protocol | Port | Remote | Purpose |
|---|---|---|---|---|
| Ingress | TCP | 22 | <office-IP>/32 | SSH from the office only |
Internal VMs then only accept SSH from sg-bastion.
Security recommendations
- Never open
0.0.0.0/0for admin ports (SSH 22, RDP 3389, DB 3306/5432, …) — restrict to specific IPs. - Split Security Groups by tier (web / app / db) — don't dump every rule into a single SG.
- Use a Security Group as the Remote instead of a CIDR for internal traffic — auto-updates when VM IPs change.
- Audit regularly and remove rules you no longer use to shrink the attack surface.
Adding or removing a rule takes effect right away for every VM with the SG attached. Before removing a rule for an admin port (SSH/RDP), make sure you have an alternative channel (Portal Console, another SG covering that port) so you don't lock yourself out.
See also
- Attach Security Groups to a VM — attach/detach the SGs you create.
- Floating IP — public IP that needs the right Security Group to receive traffic.
- SSH/RDP — which ports to open for remote access.