# Security Groups

Security Groups place a barrier between your servers and other machines on the network to protect them from external attacks. Security Groups are network-based firewalls and stop traffic at the network layer before it reaches the server.

A security group consists set of network access rules that control incoming and outgoing traffic to instances assigned to this group. With security group rules, you can specify the type and direction of traffic that is allowed access to a virtual interface port. Traffic that does not satisfy any rule is dropped.

For each region, a default security group is automatically created in the control panel. This group allows all traffic on all ports for all protocols. When you attach a network interface to an instance, the interface is associated with the default security group, unless you explicitly select a custom security group.

When you add rules to security groups or remove them, the changes are enforced at runtime.

## Quickstart

{% hint style="info" %}
As standard, each organization's account comes with a default Security Group per data center region. The default group allows all traffic on all ports for all protocols.
{% endhint %}

1. Start by clicking the **Wizard** button in the [Control Panel](https://my.cloudbit.ch). Click **Create Security Group**.<br>
2. Name your Security Group, compose a description and choose a data center Regio&#x6E;**.** Click on **Save** to create a new Security Grou&#x70;**.**<br>
3. To edit and manage the newly created Security Group, click on it in the list.<br>
4. Create a new rule by clicking on the **(+) Plus** button under the **Rules** tab.<br>
5. Under **Direction**, specify whether the rule should apply to inbound "Ingress" or outbound "Egress" traffic.<br>
6. Under **Protocol**, choose the protocol. The values Any, TCP, UDP, and ICMP are available for selection. Depending on the choice, you have the possibility to set further parameters. For TCP and UDP, you can specify the "Start port" and "End port", and for ICMP, the "Type" and "Code.<br>
7. Under **Remote**, specify the remote resource to which this rule should be applied. The values Any, Subnet, and Group are available for selection. Depending on the choice, you have the possibility to set further parameters. For the Subnet, you can specify the CIDR notation (for example, 10.11.12.0/24 or /32 for a single address). For Group, you can specify an existing Security Group.<br>
8. Click **Save** to add the rule to the Security Group. To assign the newly created Security Group, including the rules you created, to an instance, navigate to Compute > Instances > Instance > Security Groups.

## Disable Network Security

You have the ability to disable the security group feature per network interface of an instance. This feature is mostly required when you use a firewall distribution.

## Plans and Pricing

Security Groups are free.

## Regional Availability

Security Groups are available in all regions. They are region-specific resources and can only be assigned within the same region.

## Limitations

* You can manage only IPv4 security group rules.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://doc.cloudbit.ch/products/compute/networking/security-groups.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.