Help:Security groups

From Wikitech
Jump to navigation Jump to search

A security group is a set of firewall rules that can be applied to instances. Each instance should belong to one or more security groups; if an instance is not a member of any security group, it will be entirely isolated from the world outside of the project.

Every project has a 'default' security group that initially provides the rest of Labs with access to ICMP and TCP ports 22 (SSH), 5666 (NRPE, which is used for status monitoring), and 80 (HTTP). Unless you are doing something very unusual, you will want every instance to be a member of the default group. Note that the default 'default' security group allows all incoming connections from all other instances in the same security group; this effectively means that traffic within a project is not blocked in any way.

If you are planning to run other network services on your instances (e.g. it's an external web server, so HTTPS), you will need to create an additional custom security group and add it to your instance.

Creating a new group

You must be a projectadmin in order to create, add or modify security groups.

  1. Log into Horizon
  2. Select the project containing the instance from the dropdown.
  3. Select 'Access & Security' under Compute, under Project.
  4. Select the 'Security Groups' tab - you’ll see a list of available security groups.
  5. Click on the "Create Security Group" button
  6. Enter a new security group name, e.g., “web”.
  7. Enter a description (optional, but possibly helpful, e.g., firewall rules for web access).
  8. Click on the “Create Security Group” button.

Adding rules

Each security group consist of one or more rules. You can define rules for TCP, UDP (and additionally with these two, a single port or a range of ports), and ICMP. The remote can be either another security group within the project, or a CIDR. We use for the rest of Labs (technically includes production hosts but those are mostly firewalled off from labs), and (but note this doesn't grant you a public IP on it's own). You must be a projectadmin in order to create, add, or modify security group rules.

  1. Once you’re on "Security Groups" page, click on the "Manage Rules" button next to the security group you want to modify.
  2. Select TCP, UDP, or (unlikely unless you're something very strange) ICMP (or one of the pre-defined rules).
  3. For TCP/UDP, enter a single Port or Port Range.
  4. Select the Remote type, either a CIDR or Security Group. If you wish to open to everywhere, use CIDR "".
  5. Click on the “Add” button.


Here's a simple security group that allows web access:

Begining of port range End of port range Protocol CIDR ranges Source group Explanation
80 80 tcp • Open port 80 (http) to everyone
443 443 tcp • Open port 443 (https) to everyone

Here's one that allows an instance to act as a sendmail server, but only for one other machine:

Begining of port range End of port range Protocol CIDR ranges Source group Explanation
25 25 tcp • Open port 25 (smtp) to the lucky server at

Important: If you know what services you need access to but don't know what ports to open, there's a comprehensive list of standard ports here. You can also use 'lsof -p <PID> | grep LISTEN' as root to find ports in use by a specific process.