About Security Groups

A security group acts as a network virtual appliance for switching and firewalling that allows or denies inbound or outbound flows for one or more instances. It therefore enables instances to communicate with one another or with external services or devices depending on the rules you specify.

When launching an instance, you must specify one or more security groups to associate with it.

You cannot disassociate a security group from an instance or associate other security groups with it after the instance is launched. However, you can add or remove rules at any time to modify flow controls.

Security groups are allocated to either the public Cloud or to a specified VPC.

Default security groups are provided for the public Cloud and for each of your VPCs. Default security groups are named default and appear in your account.

If you do not want to use the default security group for your instances, you can create your own custom ones. When creating them, you must choose between a security group for use in the public Cloud, or in a specific VPC. You can create several security groups depending on the different roles of your instances and the inbound and outbound flows they need. Each security group must have a unique name.

You can then add or remove rules for both default and custom security groups according to your architecture and your needs.

3DS OUTSCALE assigns an ID in the sg-xxxxxxxx format to every default or custom security group you create. Custom security groups belong to you and you can delete them at any time if needed. However, you cannot delete default ones.

If your instance is in the public Cloud, you can only use security groups allocated to the public Cloud. When launching an instance in the public Cloud, you must specify a security group that is in the same Region as the instance.

Security groups for use in the public Cloud let you specify rules for inbound flows only, and allow all outbound flows from the instances. As instances in the public Cloud have a public IP, they can access the Internet.

3DS OUTSCALE provides for your account a default security group for use in the public Cloud. The initial inbound rules of this default security group only allow instances associated with the same security group to communicate with one another, in TCP, UDP, and ICMP protocols.

Custom security groups you create for use in the public Cloud do not contain any initial inbound rules.

For more information, see About Security Group Rules.

If your instance is in a VPC, you can only use security groups allocated to this specific VPC.

Security groups in a VPC act at the instance level and not at the subnet level. They let you specify rules for both inbound and outbound flows.

When creating a VPC, 3DS OUTSCALE creates a default security group for use in this VPC. The initial inbound rules of these default security groups only allow instances associated with the same security group to communicate with one another, in TCP, UDP, and ICMP protocols.

Custom security groups you create for use in a VPC do not contain any initial inbound rules and contain an initial outbound rule that allows all outbound flows.

For more information, see About Security Group Rules.

Related Pages