General information about security groups
We do not recommend configuring security groups on existing networks where a load balancer or cloud database cluster is running, as this can cause the load balancer to fail and disrupt replication in the cluster. To avoid failures and data loss, to configure groups , create a new private network or public subnet and enable traffic filtering in it.:::
A security group is a set of rules for filtering traffic that is applied on cloud server ports within the same pool.
Unlike a cloud firewall, it allows you to filter all server traffic. The cloud firewall is assigned to a port on the cloud router, so it does not filter traffic between devices on the same network and subnet, or traffic to addresses on public subnets.
Security groups are not suitable for protection against DDoS attacks, use DDoS protection services for that.
You can work with security groups in the control panel, using the OpenStack CLI.
Principle of operation
A security group is assigned to one or all ports on a cloud server and filters incoming and outgoing port traffic according to specified rules. If there are no rules in the group, all traffic is discarded.
For security groups to work, port security must be enabled on the network.
The security groups use objects from the OpenStack model:
- Security Group — A security group. It serves as a container for rules that allow traffic to pass through;
- Rule — a rule in a security group. Allows traffic with certain parameters to pass through.
Safety groups can operate in one of the modes:
- stateful (default) — session stateful. If traffic has passed through the port and a session is established, return traffic within this session will pass even without a rule. The session timeout is 300 seconds;
- stateless — session state is not taken into account.
You can specify the mode when creating a group and change the mode after the group is created.
Several security groups can operate on the same port. Their rules are applied simultaneously: if traffic matches at least one rule, it will be skipped.
Default security group
In one project, a default security group named default
is created for each pool. If port security is enabled on a network, the default security group is assigned to all ports on that network when they are created. For a cloud server, you can assign a different security group when you create a port or server.
The default security group allows all inbound and outbound traffic and operates in stateful mode. To restrict traffic using the default group, you can manage the rules in it — delete rules and add new ones.
Do not delete rules in the default security group if the project and pool in this group are running a Managed Kubernetes cluster. Any changes to the default group may cause the cluster to fail.
The default group cannot be deleted.
Rules
Rules work on the permissive principle: if traffic matches at least one rule in the group, it will be allowed. The order of the rules does not matter.
The rule allows traffic based on the request parameters:
- direction — inbound or outbound;
- Protocol — TCP, UDP, ICMP, AH, DCCP, EGP, ESP, GRE, IGMP, IPv6-ENCAP, IPv6-Frag, IPv6-ICMP, IPv6-NoNxt, IPv6-Opts, IPv6-Route, OSPF, PGM, RSVP, SCTP, UDP Lite, VRRP, IP-in-IP, or any protocol;
- port (for inbound and outbound traffic) — the port or range of ports to which a connection can be established. The ports on the device to which the group with the rule is assigned are specified;
- traffic source (for incoming traffic) — IP address, subnet, or other security group;
- traffic destination (for outgoing traffic) — IP address, subnet or other security group.
When you create a security group, two rules are created in it by default that allow all outgoing traffic. These rules are needed so that when created, the server can request the necessary data for its configuration. You can delete these rules and add new ones.
Limitations
In one project, you can create:
- up to a maximum of 20 security groups, taking into account the default security group;
- no more than 200 rules.
The number of security groups and rules on one port is limited by the project limit — no more than 20 groups, no more than 200 rules.
Servercore has some TCP/UDP ports blocked by default. If incoming or outgoing traffic through a port is blocked by default, it will not pass through even if there is an allow rule.
Cost
Safety groups are provided free of charge.