Help:Security groups

From Wikitech
Jump to navigation Jump to search


A security group is a set of firewall rules that can be applied to Cloud VPS instances.

Each instance should belong to one or more security groups.

Default security group

Every instance should be a member of the default group. The default security group allows all incoming connections from all other instances in the same security group. This means that traffic within a project is not blocked.

If you plan to run other network services on your instances (e.g. it's an external web server, so HTTPS), you will need to create an additional custom security group and add it to your instance.

Create a new security group

You must be a Project admin in order to create, add or modify security groups.

  1. Log into Horizon
  2. Select the project containing the instance from the dropdown.
  3. Select 'Security Groups' under Network, under Project - you’ll see a list of available security groups.
  4. Click on the "Create Security Group" button
  5. Enter a new security group name, e.g., “web”.
  6. Enter a description (optional, but possibly helpful, e.g., firewall rules for web access).
  7. Click on the “Create Security Group” button.

Add rules

Each security group consist of one or more rules.

You can define rules for TCP, UDP (and additionally with these two, a single port or a range of ports), and ICMP. The remote can be either another security group within the project or a CIDR.

  1. Once you’re on "Security Groups" page, click on the "Manage Rules" button next to the security group you want to modify.
  2. Select TCP, UDP, or ICMP.
  3. For TCP/UDP, enter a single Port or Port Range.
  4. Select the Remote type, either a CIDR or Security Group. If you wish to open to everywhere, use CIDR "".
  5. Click on the “Add” button.


Here's a simple security group that allows web access:

Begining of port range End of port range Protocol CIDR ranges Source group Explanation
80 80 tcp • Open port 80 (http) to everyone
443 443 tcp • Open port 443 (https) to everyone

Here's one that allows an instance to act as a sendmail server, but only for one other machine:

Begining of port range End of port range Protocol CIDR ranges Source group Explanation
25 25 tcp • Open port 25 (smtp) to the lucky server at

Important: If you know what services you need access to but don't know what ports to open, there's a comprehensive list of standard ports here. You can also use 'lsof -p <PID> | grep LISTEN' as root to find ports in use by a specific process.

Communication and support

We communicate and provide support through several primary channels. Please reach out with questions and to join the conversation.

Communicate with us
Connect Best for
Phabricator Workboard #Cloud-Services Task tracking and bug reporting
IRC Channel #wikimedia-cloud connect
Telegram bridge
mattermost bridge
General discussion and support
Mailing List cloud@ Information about ongoing initiatives, general discussion and support
Announcement emails cloud-announce@ Information about critical changes (all messages mirrored to cloud@)
News wiki page News Information about major near-term plans
Cloud Services Blog Clouds & Unicorns Learning more details about some of our work
Wikimedia Technical Blog News and stories from the Wikimedia technical movement