About Security Groups

Security groups enable you to manage traffic to and from virtual machines (VMs) depending on your needs and your architecture.

Every VM, either in the public Cloud or in a Net, is created behind at least one security group to which you can add or remove rules. For more information, see About Security Group Rules.

General Information

A security group acts as a network virtual appliance for switching and firewalling that allows or denies inbound or outbound flows for one or more VMs. It therefore enables VMs to communicate with one another or with external services or devices depending on the rules you specify.

When creating a VM, you must specify one or more security groups to associate with it.

Security groups are allocated to either the public Cloud or to a specified Net.

Default security groups are provided for the public Cloud and for each of your Nets. Default security groups are named default and appear in your account.

To identify your resources more easily, you can add tags to them. For more information, see Tagging Your Resources.

If you do not want to use the default security group for your VMs, you can create your own custom ones. When creating them, you must choose between a security group for use in the public Cloud, or in a specific Net. You can create several security groups depending on the different roles of your VMs and the inbound and outbound flows they need. Each security group must have a unique name.

  • If you do not specify any security group when creating a VM, the corresponding default one is used.

  • To associate a VM with custom security groups, you need to create them beforehand.
    Cockpit lets you create one custom security group when creating a VM. For more information, see Creating VMs.

  • You can modify the security groups associated with a VM at any time.

You can add or remove rules for both default and custom security groups in order to control flows, according to your architecture and your needs.

3DS OUTSCALE assigns an ID in the sg-xxxxxxxx format to every default or custom security group you create. Custom security groups belong to you and you can delete them at any time if needed. However, you cannot delete default ones.

Security Groups for the Public Cloud

If your VM is in the public Cloud, you can only use security groups allocated to the public Cloud. When creating a VM in the public Cloud, you must specify a security group that is in the same Region as the VM.

Security groups for use in the public Cloud let you specify rules for inbound flows only, and allow all outbound flows from the VMs. As VMs in the public Cloud have a public IP, they can access the Internet.

3DS OUTSCALE provides for your account a default security group for use in the public Cloud. The initial inbound rules of this default security group only allow VMs associated with the same security group to communicate with one another, in TCP, UDP, and ICMP protocols.

Custom security groups you create for use in the public Cloud do not contain any initial inbound rules.

For more information, see About Security Group Rules.

Security Groups for Nets

If your VM is in a Net, you can only use security groups allocated to this specific Net.

Security groups in a Net act at the VM level and not at the Subnet level. They let you specify rules for both inbound and outbound flows.

When creating a Net, 3DS OUTSCALE creates a default security group for use in this Net. The initial inbound rules of these default security groups only allow VMs associated with the same security group to communicate with one another, in TCP, UDP, and ICMP protocols.

Default security groups in Nets are created with outbound rules allowing all outbound flows.

Custom security groups you create for use in a Net do not contain any initial inbound rules and contain an initial outbound rule that allows all outbound flows.

Initial outbound rules allow all outbound flows including to the Internet, but VMs cannot access the Internet until an Internet gateway is attached to the Net and the 0.0.0.0/0 CIDR is routed to the Internet gateway.

For more information, see About Security Group Rules.

Related Pages