Security Groups
Overview
Security Groups are stateful firewall policies that control inbound and outbound network traffic at the hypervisor level. Unlike traditional per-instance firewall rules, Security Groups are reusable objects that can be shared across multiple instances.
Key characteristics:
- Stateful -- Return traffic for allowed connections is automatically permitted. Only rules for initiating connections need to be defined.
- Deny-by-default -- When a security group has ingress rules, any traffic not explicitly allowed is dropped. The same applies to egress rules.
- Additive -- When multiple security groups are attached to an instance, all rules from all groups are merged. If any group allows a particular traffic flow, it is permitted.
- Real-time sync -- Rule changes propagate to hypervisors automatically within one minute.
Default Behavior
When an instance has no security groups attached, all traffic is allowed in both directions (with the exception of outbound SMTP port 25, which is blocked unless SMTP is enabled for the user).
When one or more security groups are attached:
- If any attached group contains ingress rules, all inbound traffic not matching a rule is dropped
- If no attached group contains any ingress rules, all inbound traffic is allowed
- The same logic applies independently to egress rules
- SMTP (TCP port 25) outbound is always blocked unless the user has SMTP enabled, regardless of security group rules
Admin Setup
Global vs. User Security Groups
Security groups have two scopes:
| Scope | Created By | Editable By | Visible To |
|---|---|---|---|
| Global | Admin | Admin only | All users |
| User | Admin or User | Owner or Admin | Owner only |
- Global security groups are visible to all users and can be attached to any instance, but only admins can create, edit, or delete them. Use these for platform-wide policies (e.g., "Allow SSH", "Allow Web Traffic").
- User security groups belong to a specific user. The owning user can manage rules and delete the group.
Users cannot modify rules on global security groups -- they can only attach or detach them from their instances.
Creating Security Groups (Admin)
- Navigate to Connectivity → Security Groups
- Click Create Security Group
- Enter a Name and optional Description
- Optionally select a User -- leave blank to create a global security group
- Click Create
Creating IP Sets (Admin)
Admins can create global IP sets (visible to all users) or user-scoped IP sets:
- Navigate to Connectivity → IP Sets
- Click Create IP Set
- Enter a Name, optional Description, and select IP Version (IPv4 or IPv6)
- Optionally select a User -- leave blank for a global IP set
- Click Create
User Guide
Creating a Security Group
- Navigate to Security Groups in the sidebar
- Click Create Security Group
- Enter a Name and optional Description
- Click Create
User-created security groups are always scoped to the creating user.
Managing Rules
Rules define what traffic is allowed through the security group. Each rule specifies a direction, protocol, optional port range, IP version, and a traffic source or destination.
Rule Parameters
| Parameter | Values | Description |
|---|---|---|
| Direction | Ingress, Egress | Inbound or outbound traffic |
| Protocol | TCP, UDP, ICMP, ICMPv6, All | Network protocol to match |
| Port Range Min | 1 -- 65535 | Start of port range (TCP/UDP only) |
| Port Range Max | 1 -- 65535 | End of port range (TCP/UDP only) |
| IP Version | IPv4, IPv6 | Whether the rule applies to IPv4 or IPv6 traffic |
| Source Type | CIDR, Remote Group, or IP Set | How to match the remote endpoint |
| Description | Free text | Optional description for the rule |
For a single port, set both min and max to the same value. For ICMP/ICMPv6/All protocols, port fields are not used.
Source Types
Each rule uses exactly one of three mutually exclusive source types:
1. CIDR
A specific IP address or network range in CIDR notation:
0.0.0.0/0-- all IPv4 addresses192.168.1.0/24-- a /24 subnet10.0.0.5/32-- a single IPv4 address::/0-- all IPv6 addresses
The CIDR must match the rule's IP version.
2. Remote Security Group
Reference another security group. The rule will dynamically match all IP addresses of instances that are members of the referenced group. This is useful for allowing traffic between groups of instances without hardcoding IP addresses.
Example: Creating an ingress rule on a "Database Servers" group that references a "Web Servers" group allows all instances in the Web Servers group to reach the Database Servers.
When instances join or leave the referenced group, the rules update automatically on the next sync cycle.
3. IP Set
Reference a user-defined IP Set -- a named collection of CIDR entries. This provides a reusable list of addresses that can be shared across multiple rules. See the IP Sets section below.
Adding a Rule
On the security group detail page:
- Click Add Rule
- Select Direction (Ingress or Egress)
- Select Protocol (TCP, UDP, ICMP, ICMPv6, or All)
- If TCP or UDP, enter the Port Range (min and max)
- Select IP Version (IPv4 or IPv6)
- Choose the Source Type:
- CIDR: Enter an IP address or CIDR range
- Remote Group: Select a security group from the dropdown
- IP Set: Select an IP set from the dropdown (filtered by IP version)
- Optionally add a Description
- Click Add Rule
Duplicate rules (same direction, protocol, port range, IP version, and source) are rejected.
Removing a Rule
Click the delete button next to any rule in the rules table. The rule is removed immediately and propagates to hypervisors on the next sync cycle.
Common Rule Examples
Allow SSH from anywhere (IPv4):
| Direction | Protocol | Port Min | Port Max | Source |
|---|---|---|---|---|
| Ingress | TCP | 22 | 22 | 0.0.0.0/0 |
Allow HTTP and HTTPS:
| Direction | Protocol | Port Min | Port Max | Source |
|---|---|---|---|---|
| Ingress | TCP | 80 | 80 | 0.0.0.0/0 |
| Ingress | TCP | 443 | 443 | 0.0.0.0/0 |
Allow all traffic from a private subnet:
| Direction | Protocol | Port Min | Port Max | Source |
|---|---|---|---|---|
| Ingress | All | -- | -- | 10.0.0.0/8 |
Allow ping (ICMP):
| Direction | Protocol | Port Min | Port Max | Source |
|---|---|---|---|---|
| Ingress | ICMP | -- | -- | 0.0.0.0/0 |
Allow database access only from web servers:
| Direction | Protocol | Port Min | Port Max | Source |
|---|---|---|---|---|
| Ingress | TCP | 3306 | 3306 | Remote Group: "Web Servers" |
Attaching Security Groups to Instances
Each instance can have up to 10 security groups attached simultaneously.
From the Instance Manage Page
Both admin and user panels have a Security Groups tab on the instance manage page:
- Open the instance manage page
- Click the Security Groups tab
- Click Attach Security Group
- Select a security group from the dropdown
- Click Attach
To detach, click the unlink button next to the security group in the attached list.
From the Security Group Detail Page
On a security group's detail page, use the Instances section to attach or detach instances directly.
Important Notes
- Attaching or detaching a security group takes effect within one minute
- When no security groups are attached, the instance allows all traffic (open firewall)
- The maximum of 10 security groups per instance is enforced
- When an instance is started, resumed, or migrated, its security group rules are applied automatically before the instance gains network access
VPC Interface Support
Security Groups work on both public and VPC interfaces. For VPC instances, the firewall controls inter-instance communication within the VPC.
Use case: Multiple VPC subnets (e.g., 10.0.1.0/24 for web servers and 10.0.2.0/24 for databases). By default, all instances on the same VPC can communicate freely. With security groups, database instances can be restricted to only accept connections from the web server subnet.
Security groups are the recommended way to control traffic between instances on VPC networks. They provide fine-grained control over which subnets and instances can communicate with each other.
IP Sets
IP Sets are named collections of IP addresses and CIDR ranges that can be referenced in security group rules. They provide a convenient way to manage lists of addresses that appear in multiple rules or change frequently.
Creating an IP Set
User Panel
- Navigate to IP Sets in the sidebar
- Click Create IP Set
- Enter a Name, optional Description, and select IP Version
- Click Create
Managing Entries
On the IP set detail page:
Adding a single entry:
- Enter an IP address or CIDR (e.g.,
192.168.1.0/24or10.0.0.1) - Optionally add a description
- Click Add Entry
Bare IP addresses are automatically normalized to CIDR notation (/32 for IPv4, /128 for IPv6).
Bulk adding entries:
- Click Bulk Add
- Enter multiple CIDRs, one per line
- Click Add All
Duplicates are skipped automatically. Invalid entries are reported with error messages.
Removing entries: Click the delete button next to any entry.
Using IP Sets in Rules
When adding a rule to a security group, select IP Set as the source type and choose from the dropdown. The dropdown only shows IP sets whose IP version matches the rule's IP version.
Constraints
- An IP set's IP version cannot be changed once entries have been added
- An IP set cannot be deleted while it is referenced by any security group rule -- remove the referencing rules first
- Global IP sets (no user) are visible to all users but can only be managed by admins
Troubleshooting
Rules not taking effect
Security group changes propagate within one minute. If rules are not applying:
- Verify the security group is attached to the instance (check the Security Groups tab)
- Ensure the instance has at least one ingress rule -- having zero ingress rules means all inbound traffic is allowed
- Check that the rule's IP version matches the traffic being tested (an IPv4 rule won't affect IPv6 traffic)
- Verify the port range is correct for TCP/UDP rules
Instance allows all traffic despite having security groups
This happens when the attached security groups have no ingress or egress rules. The system treats "no rules in a direction" as "allow all in that direction." Add at least one ingress rule to activate ingress filtering.
Cannot delete a security group
A security group is automatically detached from all instances when deleted. If the delete fails, check the application logs for errors.
Cannot delete an IP set
An IP set cannot be deleted while any security group rule references it. Remove or modify the referencing rules first, then delete the IP set.