Skip to main content

Security Group

KakaoCloud Security Groups act like virtual firewalls, allowing you to control the incoming and outgoing traffic at the instance level. You can configure security groups for the default network interface automatically created when an instance is created or when a network interface is created separately. For all instance types except Bare Metal Server instances, at least one security group must be set per network interface.

Security groups are primarily divided into inbound and outbound rules, and each rule controls the traffic based on protocols, source or destination CIDR ranges, and port numbers. Appropriate security group rules should be set based on the security requirements of the user.

How Security groups works

The working principle of security groups is as follows:

FunctionalityDescription
Whitelist-basedBy default, security groups deny all traffic that is not explicitly allowed by the rules. You cannot set deny rules. Security groups work by allowing traffic explicitly set in the rules.
StatefulSecurity groups are stateful. This means that if an incoming packet (request) is allowed by a rule, the response (reply) traffic is automatically allowed, regardless of rules. Similarly, traffic in the reverse direction is also automatically allowed.
Multi-instance/Network Interface SupportA single security group can be applied to multiple instances and network interfaces.
Multiple Security Groups SupportMultiple security groups can be applied to a single instance or network interface.
Multiple Security Group Copy SupportYou can copy a security group to quickly create multiple security groups with the same inbound and outbound rules.

Security group basics

  • Security groups operate on a whitelist basis. Any traffic that is not defined by a rule is automatically denied.
  • Security groups operate in a stateful manner.
  • When adding, removing, or updating the rules of a security group, these changes are automatically applied to all associated resources. However, the changes will only take effect after the allowed packet time expires for existing connections.
  • There are quota limits on the number of security groups that can be created per project, and the number of rules that can be set in each security group. For detailed information, refer to the Service Pricing and Quotas document.

Security group rules

Security group rules are divided into inbound and outbound rules. Inbound rules define the rules for incoming traffic to resources connected to the security group, while outbound rules define the rules for outgoing traffic from these resources. Each rule consists of the following fields:

ItemDescription
ProtocolThe protocol for the rule (e.g., TCP, UDP, ICMP, ALL)
Source or DestinationThe source IP address range (for inbound) or destination IP address range (for outbound)
Port NumberThe port to which the rule applies
Rule DescriptionA description of the rule

Security Group Rule Examples

Rules added to a security group are typically defined to match the purpose of the security group. The following table provides an example of rules for a security group connected to a web server. The web server is allowed to receive HTTP and HTTPS traffic, and can send SQL or MySQL traffic to a database server.

Inbound Rules
ProtocolSourcePort NumberDescription
TCP0.0.0.0/080Allow all HTTP access
TCP0.0.0.0/0443Allow all HTTPS access
TCPWeb server's public IP CIDR range22Allow SSH access to this web server instance
TCPWeb server's public IP CIDR range3389Allow RDP access to this web server instance

Since HTTP and HTTPS communication uses TCP at the network layer, you need to allow these protocols in the security group rules. Also, since they use ports 80 and 443, you must add these ports in the rules. Additionally, depending on the web server's operating system, port 22 (SSH) or port 3389 (RDP) must be allowed to connect directly to the server.

Outbound Rules
ProtocolDestinationPort NumberDescription
TCPSQL Database Server's IP CIDR range1433Allow access to Microsoft SQL Server
TCPMySQL Database Server's IP CIDR range3306Allow access to MySQL Server

Since the web server needs to access SQL and MySQL database servers, outbound rules are added to allow this access.

tip
  • To reduce the risk of errors, minimize the number of security groups created. Use each security group to manage access for resources with similar security requirements.
  • When adding inbound rules for SSH (port 22) or RDP (port 3389) access to BCS instances, ensure that only specific IP address ranges are granted access.
  • Avoid opening large port ranges. Limit access for each port to only the source or destination that requires it.

Default security group

A default security group named default is automatically created for every project, and it has the following inbound and outbound rules. The default security group can be modified as needed, but it cannot be deleted.
The default security group rules are as follows:

Inbound rules

ProtocolSourcePort NumberDescription
TCP@defaultALLAllow inbound traffic from resources assigned to the same security group

Outbound rules

ProtocolDestinationPort NumberDescription
ALL0.0.0.0/0ALLAllow all outbound traffic

Custom security group

Users can create multiple security groups reflecting various roles performed by instances. The name of a custom security group must be unique within the VPC.
The following are the default rules for security groups that are created.

Inbound rules

No inbound rules are registered (traffic is not allowed).

Outbound rules

ProtocolDestinationPort NumberDescription
ALL0.0.0.0/0ALLAllow all outbound traffic
caution

When using only custom security groups (excluding the default security group), instances in that VPC will not be able to access metadata. To enable metadata access, add the following outbound rule.

ProtocolDestinationPort NumberDescription
TCP169.254.169.0/2480Rule for metadata access