Skip to content

sg_guidelines.md

Latest commit

 

History

History
45 lines (30 loc) · 3.43 KB

sg_guidelines.md

File metadata and controls

45 lines (30 loc) · 3.43 KB
copyright
years
2017
lastupdated 2017-08-08

{:shortdesc: .shortdesc} {:new_window: target="_blank"}

Security groups guidelines (Beta)

Consider the following guidelines when you work with security groups:

Rules

  • Each security group defines different sets of network rules that define the incoming and outgoing traffic for a virtual server instance. You can specify rules for both IPv4 and IPv6.
  • When a new security group is created by using the Customer Portal interface, the default behavior is to create a single rule that allows all outbound traffic from the virtual server instance. You must clear the "Create group with a default rule to allow all outbound traffic" check box to create the security group with no rules. A security group with no rules blocks all traffic (both inbound and outbound).
  • To allow inbound traffic, outbound traffic, or both, you must add at least one security group that includes security group rules that allow traffic.
  • Security group rules only can be permissive. Traffic is blocked by default.
  • Users with the Manage Security Groups privilege can add, edit, or delete rules in a security group.
  • Changes to security group rules are automatically applied and can be modified at any time.
  • The order of rules within a security group does not matter. The priority always falls to the least restrictive rule.
  • Security groups do not override operating system firewalls on the virtual server. If a more restrictive firewall exists on the operating system than what's applied by security groups, the operating system rules are still enforced.
  • If your virtual server needs access to internal services, such as an update server, network attached storage(NAS), or advanced monitoring, ensure that the security group rules accommodate traffic for those internal services. For more information, see What IP ranges do I allow through the firewall? and Accessing Block Storage on Linux.

Interfaces

  • A security group can be applied to a private network, a public network, or both network interface types.
  • You can attach one or more security groups to the list of security groups that are assigned to a network interface. The security group rules of each security group apply to the associated virtual server instances.
  • The first time that you assign an existing security group to a network interface (public or private), a restart is required for each interface. However, if the public and private interfaces were assigned to the security group at the same time, then only one restart is required. After a restart, changes are automatically applied.

Access

  • During the beta period for security groups, only accounts that are participating in the beta can view and work with security groups.
  • All users within an account that has security groups enabled can read, attach, and detach security groups on the virtual server instances to which they have access. Only users with the Manage Security Groups privilege in Network Permissions can create, update, and delete security groups.
  • You cannot assign security groups to bare metal servers.

Deletion

  • You cannot delete a security group that is assigned to one or more running virtual server instances.
  • You cannot delete a security group that another security group is referencing in one of its rules.