Managing security group rules
You can modify security groups by adding and removing rules. Editing rules is not available. If you need to change the existing rule, remove it and recreate with the required parameters.
Prerequisites
- You have a security group created, as described in Creating and deleting security groups.
To add a rule to a security group
Admin panel
- On the Compute > Network > Security groups tab, click the security group to add a rule to.
- On the group right pane, click Add in the Inbound or Outbound section to create a rule for incoming or outgoing traffic.
- Specify the rule parameters:
- Select a protocol from the list or enter a number from 0 to 255.
- Enter a single port or a port range. Some protocols already have a predefined port range. For example, the port for SSH is 22.
- Select a predefined subnet CIDR or an existing security group.
- Click the check mark to save the changes.
As soon as the rule is created, it is applied to all of the virtual machines assigned to the security group.
Command-line interface
Use the following command:
vinfra service compute security-group rule create [--remote-group <remote-group>]
[--remote-ip <ip-address>]
[--ethertype <ethertype>]
[--protocol <protocol>]
[--port-range-max <port-range-max>]
[--port-range-min <port-range-min>]
(--ingress | --egress)
<security-group>
--remote-group <remote-group>- Remote security group name or ID
--remote-ip <ip-address>- Remote IP address block in CIDR notation
--ethertype <ethertype>- Ethertype of network traffic:
IPv4orIPv6 --protocol <protocol>- IP protocol:
tcp,udp,icmp,vrrpand others --port-range-max <port-range-max>- The maximum port number in the port range that satisfies the security group rule
--port-range-min <port-range-min>- The minimum port number in the port range that satisfies the security group rule
--ingress- Rule for incoming network traffic
--egress- Rule for outgoing network traffic
<security-group>- Security group name or ID to create the rule in
For example, to create a rule in the security group mygroup to allow incoming IPv4 network traffic on TCP port 22, run:
# vinfra service compute security-group rule create mygroup \ --ethertype IPv4 --protocol tcp --port-range-max 22 --port-range-min 22 --ingress +-------------------+--------------------------------------+ | Field | Value | +-------------------+--------------------------------------+ | description | | | direction | ingress | | ethertype | IPv4 | | id | 0f395e2f-a8ab-47f4-b670-64399461393c | | port_range_max | 22 | | port_range_min | 22 | | project_id | e215189c0472482f93e71d10e1245253 | | protocol | tcp | | remote_group_id | | | remote_ip_prefix | | | security_group_id | 12e6b260-0b61-4551-8168-3e59602a2433 | +-------------------+--------------------------------------+
This rule will appear in the vinfra service compute security-group rule list output:
# vinfra service compute security-group rule list mygroup -c id -c direction -c protocol +--------------------------------------+-----------+----------+ | id | direction | protocol | +--------------------------------------+-----------+----------+ | 0f395e2f-a8ab-47f4-b670-64399461393c | ingress | tcp | | a7c65861-df3d-47f2-bec3-089747141936 | egress | | | ce854e2b-537f-4618-bea9-e9ec3d8616ac | egress | | +--------------------------------------+-----------+----------+
To remove a rule from a security group
Admin panel
- On the Compute > Network > Security groups tab, click the required security group.
- On the group right pane, click the bin icon next to a rule you want to remove.
As soon as the rule is removed, this change is applied to all of the virtual machines assigned to the security group.
Command-line interface
Use the following command:
vinfra service compute security-group rule delete <security-group-rule>
<security-group-rule>- Security group rule ID
For example, to delete the security group rule with the ID 0f395e2f-a8ab-47f4-b670-64399461393c, run:
# vinfra service compute security-group rule delete 0f395e2f-a8ab-47f4-b670-64399461393c
See also
What's next