Create and manage cloud security groups
A security group is a set of firewall rules that control the inbound and outbound network traffic of an instance. To learn more about the key concepts and terminology, see Security Groups in xneelo Cloud.
Security groups can be assigned to an instance when it is created and edited at any time.
In this article, we’ve provided you with step-by-step guides on creating and managing security groups using the xneelo Cloud dashboard.
-
Security groups page
The Security Groups page provides a list of your security groups, information and actions to add or delete rules.
Steps
-
1Using the menu on the left, navigate to Network > Security Groups.
-
2A list of Helpful Articles is displayed at the top of the page.
-
3The Create Security Group button allows you to create new security groups.
-
4The Delete Security Group button allows you to delete existing security groups.
-
5The Security Group table shows a list of your current security groups and associated information in each column.
- Name: Name of the security group.
- Security Group ID: Unique identifier of the security group within the xneelo Cloud platform.
- Description: What this security group is used for.
-
6The Actions column provides a list of actions you can perform on each security group:
- Manage Rules: Create and delete ingress and egress rules.
- Edit Security Group: Update name and description fields.
- Delete Security Group: Permanently remove a security group and associated rules.
Read through the sections below for step-by-step guides on each action.
-
-
Default security group
Every Cloud project has a default security group which contains a set of rules that are commonly used.
The default security group cannot be deleted, but the rules can be changed. However, it is recommended to not edit the default security group and rather create a new group with custom rules.
If you delete any rules and want to add these rules back, you can use the table below to find the default rules list.
The following rules are set for the default security group:
Direction Ether Type IP Protocol Port Range Remote IP Prefix Remote Security Group Description Egress IPv4 Any Any 0.0.0.0/0 – Allows all outbound traffic on any port to any IPv4 address. Egress IPv6 Any Any ::/0 – Allows all outbound traffic on any port to any IPv6 address. Ingress IPv4 Any Any – default Allows all inbound IPv4 traffic to any port from servers with the default security group attached to them. Ingress IPv4 ICMP Any 0.0.0.0/0 – Allows inbound ICMP traffic to the IPv4 address of these resources from any external IPv4 address. Ingress IPv4 TCP 22 (SSH) 0.0.0.0/0 – Allows inbound SSH access to the IPv4 address of these resources from any external IPv4 address. Ingress IPv6 Any Any – default Allows all inbound IPv6 traffic to any port from servers with the default security group attached to them. Ingress IPv6 IPV6-ICMP Any ::/0 – Allows inbound ICMP traffic to the IPv4 address of these resources from any external IPv6 address. Ingress IPv6 TCP 22 (SSH) ::/0 – Allows inbound SSH access to the IPv6 address of these resources from any external IPv6 address.
-
Create a security group
This will create a new security group that can be assigned to instances.
To reduce the risk of error, it is recommended to create the minimum number of security groups that you need. You should use each security group to manage access to resources that have similar functions and security requirements.
When creating a new security group, there are no ingress rules set by default. This means that no inbound traffic is initially permitted.
There will be 2 egress rules set by default. These rules permit all outgoing traffic for IPV4 and IPV6.
Once the security group is created you can proceed to create the ingress and egress rules that you need.
Steps
-
1Using the menu on the left, navigate to Network > Security Groups.
-
2Click on the + Create Security Group button. The Create Security Group dialog will appear.
-
3In the Name field provide a name for the new security group. Names are not unique identifiers; multiple volumes may have the same name.
-
4In the Description field specify what this security group will be used for.
-
5Click on the Create Security Group button to confirm the action.
-
6The Manage Security Group Rules page will display.
-
7Proceed to add new rules (see steps below).
-
-
View rules in a security group
Security group rules are a way to define and control the inbound and outbound network traffic for instances by using allow rules. A security group is a collection of rules that define allowed traffic to and from instances.
Learn more about the components of security group rules.
Steps
-
1Using the menu on the left, navigate to Network > Security Groups.
-
2Find the security group that you want to view.
-
3Click on the Manage Rules button. The Manage Security Group Rules page will appear.
-
4The table shows the ingress and egress rules that are currently configured for this security group and the associated information in each column.
- Direction: The traffic direction this rule allows (ingress or egress).
- Ether Type: Whether the rule is set for IPV4 or IPV6.
- IP Protocol: The internet protocol this rule allows.
- Port Range: A single port or range of ports this rule allows.
- Remote IP Prefix: The IP address block (CIDR) this rule allows through.
- Remote Security Group: Access is allowed for any IP addresses in this security group.
- Description: What this rule is used for.
-
-
Add/remove rules in a security group
A security group can be updated at any time to add or remove rules. When you update the rules in a group your changes are automatically applied to all instances using that security group.
As a security best practice, you should only add rules that grant specific access for what is required. Avoid creating rules that allow wide access or encompass large port or IP ranges, as this heightens security risks.
Note: It is recommended to not edit the default security group and rather create a new group with custom rules.
Add a rule
Steps
-
1Using the menu on the left, navigate to Network > Security Groups.
-
2Find the security group that you want to edit.
-
3Click on the Manage Rules button. The Manage Security Group Rules page will appear.
-
4Click on the Add Rule button. The Add Rule dialog will appear.
-
5In the Rule field, select the type of rule you want to create: either a custom rule or a specific protocol. The fields displayed will differ, based on this selection.
-
6In the Description field specify what this rule will be used for.
-
7In the Direction field select what direction this rule applies to.
-
8In the Open Port field select the ports allowed for this rule, either:
- A single port
- A port range
- All ports (not recommended)
-
9If you select a single port, the Port field will appear: Enter the port number you wish to open.
-
10If you select a port range, the From Port and To Port fields will appear: Enter the starting and ending ports for the range.
-
11In the Remote field, select the source (for inbound rules) or destination (for outbound rules) for the traffic to allow, either:
- A CIDR address or range of addresses
- Security Group – a specific security group – all IP addresses in this group will be allowed.
-
12If you select Security Group above, the Ether Type field will appear: Select either the IPv4 or IPv6 protocol.
-
13Click the Add button to complete the action.
-
14The new rule will then be added to the security group.
-
15The new rule will immediately be applied to all instances using this security group.
Delete a rule
Steps
-
1Click on the Delete Rule button. The Confirm Delete Rule dialog will appear.
-
2Click the Delete Rule button to confirm the action.
-
3The rule will immediately be removed from all instances using this security group.
-
-
Edit security groups on an instance
You can add or remove security groups on an instance at any time.
When you assign multiple security groups to an instance, the rules from each security group are aggregated to form a single set of rules. These combined rules control the traffic to and from an instance.
Take a look at how to manage cloud instances and follow the steps in the Edit security groups section.
-
Delete a security group
When deleting a security group, it will be permanently lost. The deleted security group cannot be recovered, as it is removed entirely from the platform.
Security groups that are in use and assigned to any Cloud resource cannot be deleted. You will need to remove the security group from any instances or ports and then retry the deletion.
Steps
-
1Using the menu on the left, navigate to Network > Security Groups.
-
2Find the security group that you want to delete and select the checkbox next to the name.
-
3The Delete Security Groups button will activate.
-
4Select the Delete Security Groups button. The Confirm Delete Volume dialog will appear.
-
5Click the Delete Security Groups button to confirm the action.
-
Take a look at our other articles and guides on xneelo Cloud.