Jump to content

Help:Security groups

From Wikitech

Overview

A security group is a set of firewall rules that can be applied to Cloud VPS instances.

Each instance should belong to one or more security groups.

Default security group

Every instance should be a member of the default group. The default security group allows all incoming connections from all other instances in the same security group. This means that traffic within a project is not blocked.

If you plan to run other network services on your instances (e.g. it's an external web server, so HTTPS), you will need to create an additional custom security group and add it to your instance.

Create a new security group

You must be a Project admin in order to create, add or modify security groups.

  1. Log into Horizon
  2. From the top-left dropdown, select the project containing the relevant instance
  3. Under "Network", select "Security Groups" - you'll see a list of available security groups.
  4. Click on the "Create Security Group" button
  5. Enter a new security group name, e.g., “web”.
  6. Enter a description (optional, but possibly helpful, e.g., firewall rules for web access).
  7. Click on the “Create Security Group” button.

Add rules

Each security group can have multiple rules, where each rule can be an individual rule (for example: allow tcp port 22 to the 10.4.0.0/24 CIDR range), or a group rule (allow all traffic from the web group in the testlabs project).

You can define rules for TCP, UDP (and additionally with these two, a single port or a range of ports), and ICMP. The remote can be either another security group within the project or a CIDR.

  1. Once you’re on "Security Groups" page, click on the "Manage Rules" button next to the security group you want to modify.
  2. Select TCP, UDP, or ICMP.
  3. For TCP/UDP, enter a single Port or Port Range.
  4. Select the Remote type, either a CIDR or Security Group. If you wish to open to everywhere, use CIDR "0.0.0.0/0".
  5. Click on the “Add” button.

Assign a security group to an instance

As default a new security group is not assigned to any instance. Here how to do it:

  1. Visit "Compute" > "Instances"
  2. click on the "Actions ▼" dropdown (precisely on the "▼" symbol) and pick "Edit Security Groups"
  3. from the column "All Security Groups", click on "+" on the relevant security group
  4. save

Examples

Here's a simple security group that allows web access:

Begining of port range End of port range Protocol CIDR ranges Source group Explanation
80 80 tcp • 0.0.0.0/0 Open port 80 (http) to everyone
443 443 tcp • 0.0.0.0/0 Open port 443 (https) to everyone

Here's one that allows an instance to act as a sendmail server, but only for one other machine:

Begining of port range End of port range Protocol CIDR ranges Source group Explanation
25 25 tcp • 192.168.17.31 Open port 25 (smtp) to the lucky server at 192.168.17.31

Important: If you know what services you need access to but don't know what ports to open, there's a comprehensive list of standard ports. You can also use 'lsof -p <PID> | grep LISTEN' as root to find ports in use by a specific process.

Communication and support

Support and administration of the WMCS resources is provided by the Wikimedia Foundation Cloud Services team and Wikimedia movement volunteers. Please reach out with questions and join the conversation:

Discuss and receive general support
Stay aware of critical changes and plans
Track work tasks and report bugs

Use a subproject of the #Cloud-Services Phabricator project to track confirmed bug reports and feature requests about the Cloud Services infrastructure itself

Read stories and WMCS blog posts

Read the Cloud Services Blog (for the broader Wikimedia movement, see the Wikimedia Technical Blog)