Security Group
A Security Group controls traffic to connected resources using inbound and outbound rules. For example, by associating a security group with the network interface of a BCS instance, you can regulate the inbound and outbound traffic of that instance, enhancing security by governing the traffic flows.
Policies for inbound and outbound traffic can be configured independently, allowing for the control of traffic based on protocols and port numbers. By implementing this approach, you can improve the safety of your network by allowing only necessary communications and blocking unnecessary traffic.
Understanding security groups work
Security Groups function based on the following principles:
| Operation | Description |
|---|---|
| Whitelist-based | Security groups only permit traffic that matches defined rules. |
| State management | Security groups are stateful, meaning: - Responses to inbound traffic are automatically allowed, regardless of outbound rules, and vice versa. - This statefulness ensures return traffic is permitted for sessions initiated by allowed requests. |
| Multiple instance connections | A single security group can be applied across multiple instances for consistent security policies. |
| Multiple security group connections | Multiple security groups can be applied to one instance. - A security group with multiple connected security groups allows policies from all connected security groups. |
| Copying multiple security groups | Security groups with the same inbound/outbound rules can be copied to create new ones. |
Security group basics
- Security groups use a whitelist-based approach, denying all traffic not explicitly allowed by the policies. Therefore, you need to set policies to allow desired traffic.
- Security groups are stateful. Responses to inbound traffic are allowed to exit the instance regardless of outbound rules, and vice versa.
- Associating multiple security groups with a single resource, a single policy set is formed, which is used to determine access permissions.
- Adjustments to a security group's rules are dynamically applied to all associated resources. However, changes do not take effect immediately in the security group; only packets are allowed until existing connections timeout.
- There are limits on the number of security groups, rules per group, and group associations per network interface, detailed in the the Pricing and Quotas for more details.
Security group policies
Security group policies dictate allowed inbound and outbound traffic for associated resources, based on the following criteria:
| Item | Description |
|---|---|
| Protocol | Protocol to apply policy to - TCP, UDP, ICMP, ALL. |
| Source or Destination | For inbound rules, the source IP range; for outbound, the destination range. |
| Port number | The port number(s) the rule applies to. |
| Policy Description | A description of the policy. |
Examples
The policies you add to a security group often depend on the purpose of the security group. The following table describes example policies for the security group associated with the web server. The web server can receive HTTP and HTTPS traffic from IPv4 and send SQL or MySQL traffic to the database server.
Inbound rules
| Protocol | Source | Port number | Description |
|---|---|---|---|
| TCP | 0.0.0.0/0 | 80 | Allows HTTP from any IPv4 address |
| TCP | 0.0.0.0/0 | 443 | Allows HTTPS from any IPv4 address |
| TCP | Public IPv4 address range of the network | 22 | Allow SSH from specific network IPs |
| TCP | Public IPv4 address range of the network | 3389 | Allow RDP from specific network IPs |
Outbound rules
| Protocol | Destination | Port number | Description |
|---|---|---|---|
| TCP | SQL server IP range | 1433 | Allows access to Microsoft SQL Server |
| TCP | MySQL server IP range | 3306 | Allows access to MySQL |
- To avoid configuration errors, it's advised to limit the number of security groups and tailor each to resources with similar security needs.
- When adding inbound rules to allow access to BCS instances on ports 22 (SSH) or 3389 (RDP), grant access only to specific IP address ranges.
- Avoid opening large port ranges. Set each port to allow access restricted to source or destination requiring that port.
Default security group
Every project automatically has a default security group named default, with the following inbound and outbound rules. The default security group can be modified and used as needed, but cannot be deleted.
The policies of the default security group are as follows.
Inbound rules
| Protocol | Source | Port number | Description |
|---|---|---|---|
TCP | @default | ALL | Allows inbound traffic from resources in the same security group |
Outbound rules
| Protocol | Destination | Port number | Description |
|---|---|---|---|
ALL | 0.0.0.0/0 | ALL | Allows all outbound traffic |
Custom security group
Custom security groups can be created to reflect specific roles within your infrastructure, each with a unique name within the VPC.
The following are the default rules of a security group.
Inbound rules
No predefined rules (no traffic allowed)
Outbound rules
| Protocol | Destination | Port number | Description |
|---|---|---|---|
| ALL | 0.0.0.0/0 | ALL | Allows all outbound traffic |
If only custom security groups are used, instances in the VPC will be unable to acquire metadata and thus inaccessible. To enable metadata acquisition, add the following outbound rules:
| Protocol | Destination | Port number | Description |
|---|---|---|---|
| TCP | 169.254.169.0/24 | 80 | Required to acquire metadata |