Skip to main content

Create a security group rule

Last update:

You can:

Via the Control panel and adding a file, you can create a rule with the TCP, UDP, ICMP, or Any protocol. Via OpenStack CLI, you can create a rule with any protocol.

You can also copy rules from one security group to another; to do this, copy the security group.

Create an ingress traffic rule

  1. In the Control panel, from the top menu, click Products and select Cloud Servers.

  2. Go to the Security Groups section.

  3. Open the security group page.

  4. Open the Ingress tab.

  5. Click Create rule.

  6. If one of the ingress traffic rule templates works for you, select it from the list. The protocol, source, source ports, traffic destination, and destination port fields will be filled in automatically.

  7. If the templates do not work, specify your own rule parameters:

    7.1. Select a protocol or click All protocols.

    7.2. Specify the traffic source (Source):

    • for traffic from an IP address or subnet—select CIDR and enter the IP address or subnet, or click All sources;
    • for traffic from a security group — select Security group and choose the group. You can use security groups in the same pool. If you need to accept traffic from another pool, specify the source CIDR.

    7.3. Enter the port to allow traffic on (Dst. port)—a single port or a range of ports, or click All ports.

    7.4. Optional: enter a comment for the rule.

  8. Click Create.

Create an egress traffic rule

  1. In the Control panel, from the top menu, click Products and select Cloud Servers.

  2. Go to the Security Groups section.

  3. Open the security group page.

  4. Open the Egress tab.

  5. Click Create rule.

  6. If one of the egress traffic rule templates works for you, select it from the list. The protocol, source, source ports, traffic destination, and destination port fields will be filled in automatically.

  7. If the templates do not work, specify your own rule parameters:

    7.1. Select a protocol or click All protocols.

    7.2. Specify the traffic destination (Destination):

    • for traffic from an IP address or subnet—select CIDR and enter the IP address or subnet, or click All sources;
    • for traffic from a security group — select Security group and choose the group. You can use security groups in the same pool. If you need to send traffic to another pool, specify the source CIDR.

    7.3. Enter the source port (Src. port)—a single port or a range of ports, or click All ports.

    7.4. Optional: enter a comment for the rule.

  8. Click Create.

Bulk add rules from a file

  1. Prepare a file with the rule descriptions.
  2. Upload the file to the Control panel.

1. Prepare a file with the rule descriptions

  1. In the Control panel, from the top menu, click Products and select Cloud Servers.

  2. Go to the Security Groups section.

  3. Download the file to edit:

    • to download a file containing the rules you previously created for another security group, in the menu of the required security group, select Download JSON with rules;
    • to download a file with rule templates, in the menu of any security group, select Add rules from JSON and click the link in the text.

  4. Open the downloaded file in any text editor.

  5. Edit the file content—delete or add the required number of rule blocks, and specify the parameters for each rule:

    • direction —traffic direction: ingress for incoming traffic, egress for outgoing;

    • ethertype — IP type: only IPv4;

    • port_range_max —the last port in the allowed port range: a number from 1 to 65,535. If the rule protocol is icmp, specify an ICMP type instead of the port number. To allow all ports or ICMP types, specify null;

    • port_range_min —the first port in the allowed port range: a number from 1 to 65,535. If the rule protocol is icmp, specify an ICMP type instead of the port number. To allow all ports or ICMP types, specify null;

    • protocol —protocol name:

      • icmp —ICMP;
      • tcp —TCP;
      • udp —UDP;
      • any or null —any protocol;

    • traffic source or destination — specify one of the parameters, and for the other, specify null:

      • remote_group_id —security group ID, can be viewed in the Control panel: from the top menu, click ProductsCloud ServersSecurity Groups → in the group card, click . You can only specify a group in the same pool; for traffic from another pool, use remote_ip_prefix. To allow traffic from all security groups, specify null;
      • remote_ip_prefix —IP address or subnet in CIDR format. To allow traffic from all IP addresses, specify null.

      If you specify null for both parameters, all traffic matching the other rule parameters will be allowed.

  6. Save the modified file.

2. Upload the file to the Control panel

  1. In the Control panel, from the top menu, click Products and select Cloud Servers.

  2. Go to the Security Groups section.

  3. In the menu of a security group, select Add rules from JSON.

  4. Choose how to add the rules from the file:

    • add new rules to the existing ones;
    • or delete the old rules and add new ones.

  5. Upload the file you prepared earlier —drag and drop it into the upload field or click the upload field to select the file.

  6. Click Add or Delete and add.