Skip to main content

General information about security groups

Last update:

A security group is a set of rules for traffic filtering that applies to the ports of cloud servers within a single pool.

Unlike a Cloud Firewall, it allows you to filter all server traffic. Cloud Firewall is assigned to a cloud router port, so it does not filter traffic between devices in the same network or subnet, or traffic to addresses from public subnets.

Security groups are not suitable for protection against DDoS attacks; for this, use DDoS protection services.

You can manage security groups in the control panel, via OpenStack CLI, or Terraform.

Security groups support user types and roles.

Records of security group operations are saved in audit logs.

Operating principle

A security group is assigned to one or all cloud server ports and filters incoming and outgoing port traffic based on specified rules. If a group has no rules, all traffic is dropped.

For security groups to work, traffic filtering (port security) must be enabled in the network.

Security groups use the following OpenStack model objects:

  • Security Group — a group of rules that allow traffic to pass;
  • Rule — a rule in a security group. It allows traffic to pass based on specific parameters.

A security group can operate in one of the following modes:

  • stateful (default) — session-aware. If traffic has passed through a port and a session is established, return traffic within this session will pass even without a rule. Session timeout is 300 seconds;
  • stateless — session state is not taken into account.

You can specify the mode when creating a group and change it after group creation.

Multiple security groups can operate on a single port. Their rules are applied simultaneously: if traffic matches at least one rule, it will be allowed.

Default security group

In one project, a default security group named default is created for each pool. If traffic filtering (port security) is enabled in the network, the default security group is assigned to all ports in that network upon their creation. For a cloud server, you can assign a different security group when creating a port or server.

The default security group allows all incoming and outgoing traffic for allowed port IP addresses and operates in stateful mode. To restrict traffic using the default group, you can manage the rules within it — delete rules and add new ones.

Do not delete rules in the default security group if a Managed Kubernetes cluster is running in the project and pool of this group. Any changes to the default group may cause cluster malfunctions.

The default group cannot be deleted.

Rules

Rules follow an allow-list principle: if traffic matches at least one rule in the group, it will be allowed. The order of rules does not matter.

A rule allows traffic based on request parameters:

  • direction — incoming or outgoing;
  • protocol — TCP, UDP, ICMP, AH, DCCP, EGP, ESP, GRE, IGMP, IPv6-ENCAP, IPv6-Frag, IPv6-ICMP, IPv6-NoNxt, IPv6-Opts, IPv6-Route, OSPF, PGM, RSVP, SCTP, UDP Lite, VRRP, IP-in-IP, or any protocol;
  • port (for incoming and outgoing traffic) — a port or range of ports with which a connection can be established. Specify the ports on the device to which the group with the rule is assigned;
  • traffic source (for incoming traffic) — an IP address, subnet, or another security group;
  • traffic destination (for outgoing traffic) — an IP address, subnet, or another security group.

When a security group is created, two rules are added by default that allow all outgoing traffic. These rules are necessary so that the server can request the data required for its configuration upon creation. You can delete these rules and add new ones. Group rules can be downloaded and also copied to another security group.

Limitations

Within a single pool in a project, you can create:

The number of security groups and rules per port is limited by the project quota: no more than 20 groups and no more than 200 rules.

In Selectel, some TCP/UDP ports are blocked by default. If incoming or outgoing traffic through a port is blocked by default, it will not pass even if an allow rule exists.

Cost

Security groups are provided free of charge.