Security Groups

Security Groups place a barrier between your servers and other machines on the network to protect them from external attacks. Security Groups are network-based firewalls and stop traffic at the network layer before it reaches the server.

A security group consists set of network access rules that control incoming and outgoing traffic to instances assigned to this group. With security group rules, you can specify the type and direction of traffic that is allowed access to a virtual interface port. Traffic that does not satisfy any rule is dropped.

For each region, a default security group is automatically created in the control panel. This group allows all traffic on all ports for all protocols. When you attach a network interface to an instance, the interface is associated with the default security group, unless you explicitly select a custom security group.

When you add rules to security groups or remove them, the changes are enforced at runtime.

Quickstart

As standard, each organization's account comes with a default Security Group per data center region. The default group allows all traffic on all ports for all protocols.

  1. Start by clicking the Wizard button in the Control Panel. Click Create Security Group.

  2. Name your Security Group, compose a description and choose a data center Region. Click on Save to create a new Security Group.

  3. To edit and manage the newly created Security Group, click on it in the list.

  4. Create a new rule by clicking on the (+) Plus button under the Rules tab.

  5. Under Direction, specify whether the rule should apply to inbound "Ingress" or outbound "Egress" traffic.

  6. Under Protocol, choose the protocol. The values Any, TCP, UDP, and ICMP are available for selection. Depending on the choice, you have the possibility to set further parameters. For TCP and UDP, you can specify the "Start port" and "End port", and for ICMP, the "Type" and "Code.

  7. Under Remote, specify the remote resource to which this rule should be applied. The values Any, Subnet, and Group are available for selection. Depending on the choice, you have the possibility to set further parameters. For the Subnet, you can specify the CIDR notation (for example, 10.11.12.0/24 or /32 for a single address). For Group, you can specify an existing Security Group.

  8. Click Save to add the rule to the Security Group. To assign the newly created Security Group, including the rules you created, to an instance, navigate to Compute > Instances > Instance > Security Groups.

Disable Network Security

You have the ability to disable the security group feature per network interface of an instance. This feature is mostly required when you use a firewall distribution.

Plans and Pricing

Security Groups are free.

Regional Availability

Security Groups are available in all regions. They are region-specific resources and can only be assigned within the same region.

Limitations

  • You can manage only IPv4 security group rules.

Last updated