Skip to main content
Security groups
Last update:

Security groups

carefully

We do not recommend configuring security groups on existing networks where the following is running load balancer or cluster databases If you are using a cloud database, it can cause the balancer to malfunction and cloud database replication to fail. To avoid failures and data loss, create a new private network or public subnet.

A security group is a set of rules for filtering traffic that is applied on the ports cloud servers within a single pool.

Unlike cloud firewall allows you to filter all traffic passing through a port, including traffic between devices on the same network and subnet.

You can work with safety groups using OpenStack CLI or Terraform. В control panels You can view the created security groups and the rules in them, as well as the ports to which the groups are assigned.

Principle of operation

A security group is assigned to one or all ports on a cloud server and filters incoming and outgoing port traffic according to specified rules. If there are no rules in the group, all traffic is discarded.

Traffic filtering must be enabled for security groups to work port security.

The security groups use objects from the OpenStack model:

  • Security Group — A security group. It serves as a container for rules that allow traffic to pass through;
  • Rule — rule in a security group. Allows traffic with certain parameters to pass through.

Safety groups can operate in one of the modes:

  • stateful (default) — session stateful. If traffic has passed through the port and a session is established, return traffic within this session will pass even without a rule. The session timeout is 300 seconds;
  • stateless — the session state is not taken into account.

You can specify the mode when group creation or at group change.

Several security groups can operate on the same port. Their rules are applied simultaneously: if traffic matches at least one rule, it will be skipped.

Default security group

In a single project, a default security group is created for each pool. The default security group is assigned to a port when it is created, but you can security team explicitly when creating a port or server. Default security groups are not automatically assigned on networks where traffic filtering is disabled port security.

The default security group allows all inbound and outbound traffic and operates in stateful mode. To restrict traffic using the default group, you can manage the rules in the group by — deregulate и add new ones.

The default group cannot be deleted.

Rules

Rules work on the permissive principle: if traffic matches at least one rule in the group, it will be allowed. The order of the rules does not matter.

The rule allows traffic based on the request parameters:

  • direction — inbound or outbound;
  • Protocol — TCP, UDP, ICMP, AH, DCCP, EGP, ESP, GRE, IGMP, IPv6-ENCAP, IPv6-Frag, IPv6-ICMP, IPv6-NoNxt, IPv6-Opts, IPv6-Route, OSPF, PGM, RSVP, SCTP, UDP Lite, VRRP, IP-in-IP, or any protocol;
  • port (for inbound and outbound traffic) — the port or range of ports to which a connection can be established. The ports on the device to which the group with the rule is assigned are specified;
  • traffic source (for incoming traffic) — IP address, subnet, or other security group;
  • traffic destination (for outgoing traffic) — IP address, subnet or other security group.

When you create a new security group, two rules are created in it by default that allow all outbound traffic. You can remove these rules и add new ones.

Traffic filtering port security

Port security is a traffic filtering function to protect against unauthorized access and attacks, which is necessary for the operation of security groups. Completely denies the passage of traffic unless a security group with authorizing rules is assigned to the port.

The port security feature is disabled by default on all Selectel networks. To assign a security group to a port, you must enable port security.

We recommend that for working with security groups, you create a new network and enable port security at the network level — in this case, all new ports on the network will be assigned to the default security group. You'll also be able to security team explicitly when creating a port or server.

Port security allows only one fixed IP address — MAC address pair for a port, so MAC/IP spoofing, VPN, VRRP and overlay networks will be blocked. If you use solutions based on these, you must additionally use the following on ports with a security group configure authorized addresses that can be used to send traffic through the port.

Limitations

In one. project can be created:

The number of security groups and rules on one port is limited by the project limit — no more than 20 groups, no more than 200 rules.

In Selectel, the default some TCP/UDP ports are blocked. If inbound or outbound traffic through the port is blocked by default, it will not pass through even if there is an allow rule.

Cost

Safety groups are provided free of charge.