Create a security group

Last update: June 11 2026

When creating a group, you only configure rules for incoming traffic. Outgoing traffic is allowed by default—two outgoing traffic rules are automatically added to the group, which cannot be modified or deleted during group creation. These rules are necessary so that the server can request the data required for its configuration during creation.

After creating the group, you can delete any rules in it and create new ones. You can download the rules from the group, as well as copy them to another security group.

Through the control panel, you can create a group with stateful mode and rule protocols: TCP, UDP, ICMP, or Any (all protocols). Using the OpenStack CLI, you can create a group with stateful or stateless mode and any rule protocol.

You can also copy an existing security group.

Control panel

1. In the control panel, on the top menu, click Products and select Cloud Servers.

2. Go to the Security Groups section.

3. Click Create security group.

4. Select the location where the group will be created. The group can only be assigned to ports in the same location.

5. Create rules for incoming traffic. To do this, in the Incoming traffic block:

   5.1. If one of the incoming traffic rule templates suits you, click the template name. The protocol, source, source ports, traffic destination, and destination port fields will be filled in automatically. Proceed to step 6.

   5.2. If the templates are not suitable, add your own rule for incoming traffic. Click Add incoming traffic rule.

   5.3. Select a protocol or click All protocols.

   5.4. Specify the traffic source (Source):

   • for traffic from an IP address or subnet—select CIDR and enter the IP address or subnet, or click All sources;
   • for traffic from a security group, select Security Group and select the group. Security groups in the same pool are available. If you need to accept traffic from another pool, specify the source CIDR.

   5.5. Enter the port that is allowed to receive traffic (Dst. port)—a single port or a range of ports—or click All ports.

   5.6. Optional: enter a comment for the rule.

   5.7. Click Add. Once the group is created, the rule cannot be modified; you can delete the rule and create a new one.

   5.8. To add another rule, repeat steps 5.2–5.7.

6. Optional: in the Ports block, select the ports to which the security group will be assigned. Available ports are those with traffic filtering (port security) enabled that are not connected to devices or are connected to a cloud server. After the group is created, all active sessions on the selected ports that do not comply with the group rules will be terminated.

7. Enter a group name or leave the name that was created automatically.

8. Optional: enter a comment for the group.

9. Click Create security group.

10. Optional: restrict outgoing traffic; to do this, delete the outgoing traffic rules that were created with the group, and create new ones.

OpenStack CLI

1. Open the OpenStack CLI.

2. Create a security group:

   openstack security group create \
       [--description "<description>"] \
       [--stateless] \
       <security_group_name>

   Specify:

   • optional: --description "<description>" —security group description. The <description> parameter is the description text; ;
   • optional: group mode— --stateful or --stateless. If you do not specify a mode, a stateful group will be created;
   • <security_group_name> —security group name.

3. Create a rule in the group:

   Incoming traffic

   openstack security group rule create \
       --ingress \
       [--remote-ip <remote_ip> | --remote-group <remote_group>] \
       [--protocol <protocol>] \
       [--dst-port <port_range>] \
       <security_group>

   Specify:

   • optional: traffic source, you can specify one or both parameters. If you do not specify a source, the 0.0.0.0/0 subnet will be set by default:

     • --remote-ip <remote_ip> — to accept traffic from an IP address. The <remote_ip> parameter is an IP address or subnet in CIDR format;
     • --remote-group <remote_group> — to accept traffic from another security group. The <remote_group> parameter is a group ID or name, which can be viewed using the openstack security group list command. To allow traffic within a group, specify its name. You can only specify a group in the same pool; for traffic from another pool, use --remote-ip <remote_ip>;

   • optional: --protocol <protocol> — protocol. The <protocol> parameter is the name of the protocol from the list below. If you do not specify this parameter, all protocols will be allowed:

     • icmp — ICMP;
     • tcp — TCP;
     • udp — UDP;
     • ah — AH;
     • dccp — DCCP;
     • egp — EGP;
     • esp — ESP;
     • gre — GRE;
     • igmp — IGMP;
     • ipv6-encap — IPv6-ENCAP;
     • ipv6-frag — IPv6-Frag;
     • ipv6-icmp — IPv6-ICMP;
     • ipv6-nonxt — IPv6-NoNxt;
     • ipv6-opts — IPv6-Opts;
     • ipv6-route — IPv6-Route;
     • ospf — OSPF;
     • pgm — PGM;
     • rsvp — RSVP;
     • sctp — SCTP;
     • udplite — UDP Lite;
     • vrrp — VRRP;
     • ipip — IP-in-IP;
     • any — any protocol;

   • optional: --dst-port <port_range> — server ports that are allowed to receive traffic. The <port_range> parameter is a port number or port range, e.g., 137:139. Specify if <protocol> is tcp, udp or any.

     Traffic to any TCP/UDP port blocked in Selectel by default will be denied, even if you specify this port in the rule;

   • <security_group> — security group ID or name; you can view it using the openstack security group list command.

   Outgoing traffic

   openstack security group rule create \
       --egress \
       [--remote-ip <remote_ip> | --remote-group <remote_group>] \
       [--dst-port <port_range>] \
       [--protocol <protocol>] \
       <security_group>

   Specify:

   • optional: traffic destination, you can specify one or both parameters. If you do not specify a destination, the subnet 0.0.0.0/0 will be set by default:

     • --remote-ip <remote_ip> — to send traffic to an IP address. The <remote_ip> parameter is an IP address or a CIDR subnet;
     • --remote-group <remote_group> — to send traffic to another security group. The <remote_group> parameter is a group ID or name, which you can find using the openstack security group list command. To allow traffic within a group, specify its name. You can only specify a group in the same pool; for traffic from a different pool, use --remote-ip <remote_ip>;

   • optional: --protocol <protocol> — protocol. The <protocol> parameter is the name of a protocol from the list below. If you do not specify this parameter, all protocols will be allowed:

     • icmp — ICMP;
     • tcp — TCP;
     • udp — UDP;
     • ah — AH;
     • dccp — DCCP;
     • egp — EGP;
     • esp — ESP;
     • gre — GRE;
     • igmp — IGMP;
     • ipv6-encap — IPv6-ENCAP;
     • ipv6-frag — IPv6-Frag;
     • ipv6-icmp — IPv6-ICMP;
     • ipv6-nonxt — IPv6-NoNxt;
     • ipv6-opts — IPv6-Opts;
     • ipv6-route — IPv6-Route;
     • ospf — OSPF;
     • pgm — PGM;
     • rsvp — RSVP;
     • sctp — SCTP;
     • udplite — UDP Lite;
     • vrrp — VRRP;
     • ipip — IP-in-IP;
     • any — any protocol;

   • optional: --dst-port <port_range> — server ports from which traffic is allowed to be sent. The <port_range> parameter is a port number or a port range, for example 137:139. Specify this if <protocol> is tcp, udp or any.

     Traffic to any TCP/UDP port blocked in Selectel by default will be denied even if you specify this port in the rule;

   • <security_group> — security group ID or name, which you can find using the openstack security group list.

4. Optional: create another rule in the group; to do this, repeat step 3.

5. Optional: check the list of rules in the security group:

   openstack security group rule list <security_group>

   Specify <security_group> — the ID or name of the security group you created in step 2; you can view it using the openstack security group list.