Security Groups

About security groups

A security group is a set of IP filter rules that are applied to an instance's networking (you can also consider a security group as a container for security group rules). A security groups acts as a firewall template that controls the traffic for one or more instances. Once applied to an instance (or, strictly speaking, to a port of an instance, which is an instance connection to the network - visible by the instance as a virtual network adapter), it becomes an active firewall on that port.

Port security

The concept of security groups is connected to what is called the port security. Port security is a property (or feature) on a network port, which, once enabled, begins the traffic filtering. The port security alone acts as "block everything" rule. After that, when security group(s) are applied to a port, they add set of rules allowing certain types of the traffic (enabling certain ports or remote IPs).

Note that not every type of traffic that is blocked by the port security can be allowed by security groups. For example, the port security blocks the traffic with destination IP or mac address not belonging to a specific port, and this is not something that can be allowed by security groups. Therefore, on a router ports, since the routers need to receive and forward traffic for remote destination IPs, you would see port security being disabled.

Managing security groups

Security groups is essentially a set of rules to whitelist certain types of traffic. There are no rules to blacklist (block) traffic; the port security acts as a global one blocking all kind of traffic, before any whitelisting can be applied.

Therefore, there is no need to manage the order in which rules are applied - since only whitelisting is supported, any traffic not matching any rules will be automatically blocked.

Note that you can also apply multiple security group to an instance (and all the ports of this instance). In this case, all the rules from all the security groups are combined - for example, if one security group has a rule allowing incoming TCP port 22, and the other one does not have such a rule, and both security groups are applied to the instance - the instance will have incoming TCP port 22 traffic allowed.

When managing rules in the security groups, you can use the following parameters to match different traffic:

  • Protocol (TCP and UDP are examples of protocols working over IP).
  • Traffic direction - Ingress (incoming)/egress (outgoing).
  • IP version - IPv4 or IPv6.
  • Port ranges (to specify a single port, like 22, just use the range 22 to 22).
  • Remote IP or CIDR (for ingress traffic, remote is the source IP, and for egress - remote is the destination IP). Also, same or another security group can be specified as a remote security group - which means, the rule will match IP of any port which has that security group assigned.

The remote security group feature worth elaborating a little more. This feature allows creating rules that match certain IPs, without knowing in advance what these IPs will be. An example how that feature is used can be seen in the default security group created for any new project. That security group has a rule "allow ingress traffic from any protocol, from any port which participate in the same security group". As a result, you can create a set of "friendly" instances, which can communicate on any protocol and port without restriction, by simply assigning such a security group to them. At the same time, this rule does not leave the instances unprotected from the rest of the instances or from the Internet.

There is also a security group created by default - and it's called default. This group allows:

  • Egress traffic for IPv4 and IPv6, for any protocol on all ports.
  • Ingress traffic for IPv6, for any protocol on all ports.
  • Ingress traffic for IPv4, protocol ICMP protocol on all ports (ICMP protocol is used by the ping command).
  • Ingress traffic for IPv4, for any protocol on all ports, with the remote security group specified as current group.
  • Ingress traffic for IPv6, for any protocol on all ports, with the remote security group specified as current group. Basically, these two rules (the current one plus the one above), allows instances using this security group to communicate directly to each other without restrictions. At the same time these rules do not apply to any other instances or IPs.
  • Ingress traffic for IPv4, TCP protocol on port 22 (this is a port used by SSH).
  • Ingress traffic for IPv4, TCP protocol on port 3389 (the port used by Windows remote desktop protocol).

Portal operations for security groups

Creating a new security group

To create a new security group, go to the Networking -> Security groups in the portal navigation (left side of the browser). Then click on "Create security group" button. Provide a meaningful name (best if it describes purpose of the group, such as "Web servers"), and description if desired; then click "Create".

A newly created security group will have two rules added by default - allowing outgoing (egress) traffic for any port and protocol, for IPv4 and IPv6. No incoming traffic will be allowed by default. If needed, these rules can be removed.

Modifying a security group

To modify rules of the security group, click on the context menu button on top of the group, and chose "Modify". A list of rules will pop up, allowing you to delete existing rules, or add new ones. Note you can't modify an existing rule - you need to remove old one and add new instead.

When adding a rule to the security group, you can use rule templates on top fo the screen - these templates are build to pre-populate new rule with fields required for specific tasks and protocol (for example, to allow HTTP or HTTPS traffic, which are typically configured to listen on TCP ports 80 and 443 accordingly.

Note that when you modify an existing security group, these changes will apply to all the instances using that group (note however that it will take few seconds, sometimes up to 30). There will be no need to reapply the group to the instance to make these changes effective. Also, it is easy to see the list of instances a specific group is applied to - use the tab "Instances" on top of the same screen used to modify a security group.

Applying security group to an instance

To manage list of the security groups applied to an instance, go to the instance manage page (go to Instances in the navigation on your left side of the browser), select proper instance, click on context menu button (it is located in "Actions" column when grid view is used) and select "Manage". Then, on the "Detais" page of the instance, scroll down until you'll see the "Security groups" section.

You can remove a security group from the instance by clicking on "Remove" item in the context menu on that security group. To add a security group, clock on the "Manage" button on top of the "Security groups" section, and select the security groups you'd like to add.

Note that while port security is enabled, when all security groups are removed, any traffic (ingress/egress) will be blocked entirely (remember, rules in the security groups are whitelisting rules - so if nothing is whitelisted, nothing is allowed)