Help:Security groups
A security group is a set of firewall rules that can be applied to Cloud VPS instances.
Each instance should belong to one or more security groups.
Default security group
Every instance should be a member of the default group. The default security group allows all incoming connections from all other instances in the same security group. This means that traffic within a project is not blocked.
If you plan to run other network services on your instances (e.g. it's an external web server, so HTTPS), you will need to create an additional custom security group and add it to your instance.
Create a new security group
You must be a Project admin in order to create, add or modify security groups.
- Log into Horizon
- From the top-left dropdown, select the project containing the relevant instance
- Under "Network", select "Security Groups" - you'll see a list of available security groups.
- Click on the "Create Security Group" button
- Enter a new security group name, e.g., “web”.
- Enter a description (optional, but possibly helpful, e.g., firewall rules for web access).
- Click on the “Create Security Group” button.
Add rules
Each security group can have multiple rules, where each rule can be an individual rule (for example: allow tcp port 22 to the 10.4.0.0/24 CIDR range), or a group rule (allow all traffic from the web group in the testlabs project).
You can define rules for TCP, UDP (and additionally with these two, a single port or a range of ports), and ICMP. The remote can be either another security group within the project or a CIDR.
- Once you’re on "Security Groups" page, click on the "Manage Rules" button next to the security group you want to modify.
- Select TCP, UDP, or ICMP.
- For TCP/UDP, enter a single Port or Port Range.
- Select the Remote type, either a CIDR or Security Group. If you wish to open to everywhere, use CIDR "0.0.0.0/0".
- Click on the “Add” button.
Assign a security group to an instance
As default a new security group is not assigned to any instance. Here how to do it:
- Visit "Compute" > "Instances"
- click on the "Actions ▼" dropdown (precisely on the "▼" symbol) and pick "Edit Security Groups"
- from the column "All Security Groups", click on "+" on the relevant security group
- save
Examples
Here's a simple security group that allows web access:
Port range | Type | Protocol | Remote IP range | Remote security group | Explanation |
---|---|---|---|---|---|
80 | IPv4 | tcp | 0.0.0.0/0 | Open port 80 (http) to everyone | |
80 | IPv6 | tcp | ::/0 | Open port 80 (http) to everyone | |
443 | IPv4 | tcp | 0.0.0.0/0 | Open port 443 (https) to everyone | |
443 | IPv6 | tcp | ::/0 | Open port 443 (https) to everyone |
Here's one that allows an instance to act as a sendmail server, but only for one other machine:
Port range | Type | Protocol | Remote IP range | Remote security group | Explanation |
---|---|---|---|---|---|
25 | IPv4 | tcp | 192.168.17.31 | Open port 25 (smtp) to the lucky server at 192.168.17.31 |
Important: If you know what services you need access to but don't know what ports to open, there's a comprehensive list of standard ports. You can also use 'lsof -p <PID> | grep LISTEN' as root to find ports in use by a specific process.
Communication and support
Support and administration of the WMCS resources is provided by the Wikimedia Foundation Cloud Services team and Wikimedia movement volunteers. Please reach out with questions and join the conversation:
- Chat in real time in the IRC channel #wikimedia-cloud connect or the bridged Telegram group
- Discuss via email after you have subscribed to the cloud@ mailing list
- Subscribe to the cloud-announce@ mailing list (all messages are also mirrored to the cloud@ list)
- Read the News wiki page
Use a subproject of the #Cloud-Services Phabricator project to track confirmed bug reports and feature requests about the Cloud Services infrastructure itself
Read the Cloud Services Blog (for the broader Wikimedia movement, see the Wikimedia Technical Blog)