Managing security groups

A security group is a set of network access rules that control incoming and outgoing traffic to virtual machines assigned to this group. With security group rules, you can specify the type and direction of traffic that is allowed access to a virtual interface port.

All security groups applied to a VM are processed independently, with rule order—whether within a single security group or across multiple groups—having no impact on evaluation. The system checks each packet against all applicable rules and allows it if at least one rule permits it; otherwise, the packet is denied by default. Since security group rules are cumulative, overlapping or redundant rules do not create conflicts or affect processing. The system prioritizes allowing traffic when a matching rule exists and continues evaluating all rules across all assigned security groups, rather than stopping at the first match.

For each project, the default security group is automatically created in the compute cluster. This group allows all traffic on all ports for all protocols and cannot be deleted. When you attach a network interface to a VM, the interface is associated with the default security group, unless you explicitly select a custom security group.

You can assign one or more security groups to both new and existing virtual machines. When you add rules to security groups or remove them, the changes are enforced at runtime.