Security Groups

Security Groups Introduction

Security groups are firewall (whitelist) rules applied to the virtual network interfaces to control the inbound and outbound traffic. Traffic that does not match any rule in the security group will be discarded. Security group rules are realized using stateful session tracking. This means that you must specify a rule only for the direction in which the session is initiated, with the other direction being implied.

  1. A VPC automatically includes a default security group. Each instance that you launch in your VPC is automatically associated with the default security group unless you specified a different security group when you launched the instance.

  2. When you create a security group, you must provide it with a name and a description. The following rules apply:

    1. Names and descriptions can be up to 255 characters in length.

    2. For AWS compatibility, names and descriptions are limited to the following characters: a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=&;{}!$*.

    3. A security group name cannot start with sg-.

    4. A security group name must be unique within the VPC.

  3. For each security group, you include one set of rules that controls the inbound traffic to the instances, and a separate set of rules that controls the outbound traffic from the instances.

  4. The following are the basic components of a security group rule in a VPC:

    1. For inbound rules only - The source of the traffic and the destination port or port range. The source can be another security group, an IPv4 or IPv6 CIDR block, or a single IPv4 or IPv6 address.

    2. For outbound rules only - The destination for the traffic and the destination port or port range. The destination can be another security group, an IPv4 or IPv6 CIDR block, or a single IPv4 or IPv6 address.

    3. Any protocol that has a standard protocol number (click here for a complete list of Protocol Numbers). If you specify ICMP as the protocol, you can specify any or all of the ICMP types and codes.

Creating Security Groups

See the video demonstrating the basics of creating and configuring zCompute Security Groups and Source/Destination checks:

To create a security group:

  1. Navigate to Networking > Security Groups. From top toolbar, click Create.

  2. In the Create Security Group dialog, enter the following information:

    • Name – name of the security group.

    • Description (optional) - description of the security group.

    • VPC - select a VPC with which the security group should be associated.

  3. Near Rules, click Add. For each rule, enter the following:

    • Internet Protocol Version - select IPV4 or IPV6.

    • Direction - Select EGRESS for defining a rule for outbound traffic. Select INGRESS for defining a rule for inbound traffic

    • Protocol - Specify the protocol for which the rule will apply - ‘TCP’, ‘UDP’ or ‘ICMP’. Permit traffic from any protocol by selecting ‘Any’.

    • Start port and end port

      • If Protocol = ‘Any’, then leave blank.

      • If Protocol = ‘TCP’ or ‘UDP’, then enter the port range for the rule.

      • If Protocol = ‘ICMP’, then enter the ICMP Message Type in the first field and ICMP Code in the second field.

    • Source or Destination - Based on the rule’s Direction, select one of the following options to restrict or allow traffic from specified sources (INGRESS), or to specified destinations (EGRESS).

      • Any: No restrictions.

      • Group: Restrict to a specific group.

      • Subnet: Restrict to a specific CIDR or IP address.

  4. Click OK to create the security group. The new security group appears in the Networking > Security Groups view.

  5. To add another rule, click Add again.

Security Group Operations

After creation of a Security Group, it will be displayed in the list in the Networking > Security Group view. The following operations can be performed by selecting a security group from the list, and clicking the appropriate icon.

From top toolbar:

  • Modify - add or delete rules to the selected security group.

  • Detach - detach the security group from all associated network interfaces.

  • Delete - delete the selected security group.

From lower toolbar:

  • Rules - view rules associated with the selected security group.

  • VMs - view VM instances associated with the selected security group.

  • Events - view configuration events (info) or alarms for the route table.