Managing security group rules

You can modify security groups by adding and removing rules. Editing rules is not available. If you need to change the existing rule, remove it and re-create with the required parameters.

Prerequisites

To add a rule to a security group

Admin panel

  1. On the Compute > Network > Security groups tab, click the security group to add a rule to.
  2. On the group right pane, click Add in the Inbound or Outbound section to create a rule for incoming or outgoing traffic.
  3. Specify the rule parameters:
    1. Select a protocol from the list or enter a number from 0 to 255.
    2. Enter a single port or a port range. Some protocols already have a predefined port range. For example, the port for SSH is 22.
    3. Select a predefined subnet CIDR or an existing security group.
  4. Click the check mark to save the changes.

As soon as the rule is created, it is applied to all of the virtual machines assigned to the security group.

Command-line interface

Use the following command:

vinfra service compute security-group rule create [--remote-group <remote-group>]
                                                  [--remote-ip <ip-address>]
                                                  [--ethertype <ethertype>]
                                                  [--protocol <protocol>]
                                                  [--port-range-max <port-range-max>]
                                                  [--port-range-min <port-range-min>]
                                                  (--ingress | --egress)
                                                  <security-group>
--remote-group <remote-group>
Remote security group name or ID
--remote-ip <ip-address>
Remote IP address block in CIDR notation
--ethertype <ethertype>
Ethertype of network traffic: IPv4 or IPv6
--protocol <protocol>
IP protocol: tcp, udp, icmp, vrrp and others
--port-range-max <port-range-max>
The maximum port number in the port range that satisfies the security group rule
--port-range-min <port-range-min>
The minimum port number in the port range that satisfies the security group rule
--ingress
Rule for incoming network traffic
--egress
Rule for outgoing network traffic
<security-group>
Security group name or ID to create the rule in

For example, to create a rule in the security group mygroup to allow incoming IPv4 network traffic on TCP port 22, run:

# vinfra service compute security-group rule create mygroup \
--ethertype IPv4 --protocol tcp --port-range-max 22 --port-range-min 22 --ingress
+-------------------+--------------------------------------+
| Field             | Value                                |
+-------------------+--------------------------------------+
| description       |                                      |
| direction         | ingress                              |
| ethertype         | IPv4                                 |
| id                | 0f395e2f-a8ab-47f4-b670-64399461393c |
| port_range_max    | 22                                   |
| port_range_min    | 22                                   |
| project_id        | e215189c0472482f93e71d10e1245253     |
| protocol          | tcp                                  |
| remote_group_id   |                                      |
| remote_ip_prefix  |                                      |
| security_group_id | 12e6b260-0b61-4551-8168-3e59602a2433 |
+-------------------+--------------------------------------+

This rule will appear in the vinfra service compute security-group rule list output:

# vinfra service compute security-group rule list mygroup -c id -c direction -c protocol
+--------------------------------------+-----------+----------+
| id                                   | direction | protocol |
+--------------------------------------+-----------+----------+
| 0f395e2f-a8ab-47f4-b670-64399461393c | ingress   | tcp      |
| a7c65861-df3d-47f2-bec3-089747141936 | egress    |          |
| ce854e2b-537f-4618-bea9-e9ec3d8616ac | egress    |          |
+--------------------------------------+-----------+----------+

To remove a rule from a security group

Admin panel

  1. On the Compute > Network > Security groups tab, click the required security group.
  2. On the group right pane, click the bin icon next to a rule you want to remove.

As soon as the rule is removed, this change is applied to all of the virtual machines assigned to the security group.

Command-line interface

Use the following command:

vinfra service compute security-group rule delete <security-group-rule>
<security-group-rule>
Security group rule ID

For example, to delete the security group rule with the ID 0f395e2f-a8ab-47f4-b670-64399461393c, run:

# vinfra service compute security-group rule delete 0f395e2f-a8ab-47f4-b670-64399461393c