Security groups¶
Service description¶
Security groups are sets of IP filter rules that are applied to instances (virtual machines) to control incoming and outgoing network traffic. Security groups provide a way to enforce network security policies at the instance level, offering a flexible and dynamic firewall mechanism.
Features¶
Security groups in cloud environments like OpenStack offer several features to enhance the security of virtual machines (VMs) and other cloud resources. Some key features of security groups include:
- Stateful firewall rules, to keep track of the state of network connections (such as TCP streams or UDP communication) and can automatically allow return traffic for established connections.
- Ingress and egress filtering, to allow users to define rules for both incoming (ingress) and outgoing (egress) network traffic (this enables fine-grained control over what traffic is allowed to enter or leave virtual machines)
- Protocol and port specification, so you can specify rules based on network protocols (e.g., TCP, UDP, ICMP) and port numbers (this allows for precise control over which types of traffic are allowed or blocked)
- IP address range filtering, to allow or deny traffic from specific IP address ranges (this is useful for restricting access to VMs from certain networks or IP addresses)
- Multiple security groups per virtual machine, so that a single VM can be associated with multiple security groups, allowing for the combination of different sets of rules to create a comprehensive security policy
- Dynamic rule modification, so that rules can be added, modified, or removed dynamically, and the changes are applied immediately to all virtual machines associated with the security group (this allows for quick updates to security policies without the need to restart VMs)
- Default security group, so that every virtual machine is automatically assigned to a default group
- Integration with Networking services, with cloud networking services, allowing for seamless enforcement of security policies at the network level
Key concepts¶
How it works¶
- When an instance is created, it is automatically associated with the default security group, which allows inbound traffic from instances in the same security group and outbound traffic to all destinations. You can modify the default security group rules or create new security groups with custom rules.
- Security group rules define the allowed or denied network traffic based on criteria such as IP protocol (e.g., TCP, UDP, ICMP), port range, source and destination IP address ranges, and direction (ingress or egress). For example, a rule might allow inbound TCP traffic on port 80 (HTTP) from any source IP address.
- Security groups are associated with instances' network interfaces. Multiple security groups can be assigned to a single instance, and a single security group can be applied to multiple instances. This allows for flexible and granular control of network access.
- Security group rules are stateful, meaning that they automatically allow return traffic for established connections. For example, if an outbound connection is allowed, the corresponding inbound response is also permitted.
- Security group rules can be added, modified, or removed dynamically, and the changes are applied immediately to all instances associated with the security group. This allows for real-time updates to security policies without the need to restart instances.