Creating a Security Group

You can create custom security groups for use either in the public Cloud or in a specified Net. You then need to add appropriate rules to your security group according to your needs and your architecture.

Since it is recommended to use a VM for one service only, we recommend creating one security group per service, with the appropriate rules, and associating the security group with all VMs dedicated to this service. You can then allow inbound and outbound flows between security groups depending on which services need to communicate with one another in order to apply these rules to all the VMs concerned.

Creating a Security Group Using Cockpit v2

Before you begin:
(optional) To disable the network enhancement allowing VMs of a same Subnet to communicate with one another without security group rules required, add a tag to your Net with osc.fcu.enable_lan_security_groups as key. For more information about how to add a tag, see Adding or Removing Tags. For more information about this network enhancement, see About Nets > Subnet Routing and Security.

This tag must be added to your Net before creating Subnets into it.
The value of this tag is not taken into account, you can therefore specify any value for this tag.

In the Security Groups dashboard, click Create Security Group.
The CREATE SECURITY GROUP dialog box appears.

In the Name field, type a name for the security group.

The name must be unique in your account for the public Cloud or for each Net.
The name of the security group must not start with sg- or with a space character.
The name must contain between 1 and 255 characters. Allowed characters are a-z, A-Z, 0-9, spaces, and _.-:/()#,@[]+=&;{}!$*.

Give your security groups explicit names so that their purpose is understood more easily. You can for example use names in the application-environment-role format:

website-all-bastion
website-front-lb
website-middle-app
website-back-db

In the Description field, type a description of the security group.

The description must contain between 1 and 255 characters. Allowed characters are a-z, A-Z, 0-9, accented letters, spaces, and _.-:/()#,@[]+=&;{}!$*.
In the Net list, do one of the following:
- To create a security group for the public Cloud, select No Net in the Net list.
- To create a security group for a Net, select the corresponding Net in the Net list.
Click Create.
The security group is created.

Creating a Security Group Using OSC CLI

This tag must be added to your Net before creating Subnets into it.
The value of this tag is not taken into account, you can therefore specify any value for this tag.

The CreateSecurityGroup command creates a security group.
This action creates a security group either in the public Cloud or in a specified Net. By default, a default security group for use in the public Cloud and a default security group for use in a Net are created.
When launching a virtual machine (VM), if no security group is explicitly specified, the appropriate default security group is assigned to the VM. Default security groups include a default rule granting VMs network access to each other.
When creating a security group, you specify a name. Two security groups for use in the public Cloud or for use in a Net cannot have the same name.
You can have up to 500 security groups in the public Cloud. You can create up to 500 security groups per Net.
To add or remove rules, use the CreateSecurityGroupRule method.

For more information, see About Security Groups.

Request sample

$ osc-cli api CreateSecurityGroup --profile "default" \
    --NetId "vpc-12345678" \
    --SecurityGroupName "security-group-example" \
    --Description "Security group example"

This command contains the following attributes that you need to specify:

Description: A description for the security group.
This description can contain between 1 and 255 characters. Allowed characters are a-z, A-Z, 0-9, accented letters, spaces, and _.-:/()#,@[]+=&;{}!$*.
DryRun: (optional) If true, checks whether you have the required permissions to perform the action.
NetId: (optional) The ID of the Net for the security group.
SecurityGroupName: The name of the security group.
This name must not start with sg-.
This name must be unique and contain between 1 and 255 characters. Allowed characters are a-z, A-Z, 0-9, spaces, and _.-:/()#,@[]+=&;{}!$*.

The CreateSecurityGroup command returns the following elements:

ResponseContext: Information about the context of the response.
- RequestId: The ID of the request.
SecurityGroup: Information about the security group.
- AccountId: The account ID that has been granted permission.
- Description: The description of the security group.
- InboundRules: The inbound rules associated with the security group.
  - FromPortRange: The beginning of the port range for the TCP and UDP protocols, or an ICMP type number.
  - IpProtocol: The IP protocol name (tcp, udp, icmp, or -1 for all protocols). By default, -1. In a Net, this can also be an IP protocol number. For more information, see the IANA.org website.
  - IpRanges: One or more IP ranges for the security group rules, in CIDR notation (for example, 10.0.0.0/16).
  - SecurityGroupsMembers: Information about one or more source or destination security groups.
    
    AccountId: The account ID that owns the source or destination security group.
    
    SecurityGroupId: The ID of a source or destination security group that you want to link to the security group of the rule.
    
    SecurityGroupName: (Public Cloud only) The name of a source or destination security group that you want to link to the security group of the rule.
  - ServiceIds: One or more service IDs to allow traffic from a Net to access the corresponding OUTSCALE services. For more information, see ReadNetAccessPointServices.
  - ToPortRange: The end of the port range for the TCP and UDP protocols, or an ICMP code number.
- NetId: The ID of the Net for the security group.
- OutboundRules: The outbound rules associated with the security group.
  - FromPortRange: The beginning of the port range for the TCP and UDP protocols, or an ICMP type number.
  - IpProtocol: The IP protocol name (tcp, udp, icmp, or -1 for all protocols). By default, -1. In a Net, this can also be an IP protocol number. For more information, see the IANA.org website.
  - IpRanges: One or more IP ranges for the security group rules, in CIDR notation (for example, 10.0.0.0/16).
  - SecurityGroupsMembers: Information about one or more source or destination security groups.
    
    AccountId: The account ID that owns the source or destination security group.
    
    SecurityGroupId: The ID of a source or destination security group that you want to link to the security group of the rule.
    
    SecurityGroupName: (Public Cloud only) The name of a source or destination security group that you want to link to the security group of the rule.
  - ServiceIds: One or more service IDs to allow traffic from a Net to access the corresponding OUTSCALE services. For more information, see ReadNetAccessPointServices.
  - ToPortRange: The end of the port range for the TCP and UDP protocols, or an ICMP code number.
- SecurityGroupId: The ID of the security group.
- SecurityGroupName: The name of the security group.
- Tags: One or more tags associated with the security group.
  - Key: The key of the tag, with a minimum of 1 character.
  - Value: The value of the tag, between 0 and 255 characters.

Result sample

{
  "SecurityGroup": {
    "Tags": [],
    "SecurityGroupName": "security-group-example",
    "OutboundRules": [
      {
        "FromPortRange": -1,
        "IpProtocol": "-1",
        "ToPortRange": -1,
        "IpRanges": [
          "0.0.0.0/0"
        ]
      }
    ],
    "SecurityGroupId": "sg-12345678",
    "AccountId": "123456789012",
    "Description": "Example of security group",
    "InboundRules": [],
    "NetId": "vpc-12345678"
  },
  "ResponseContext": {
    "RequestId": "0475ca1e-d0c5-441d-712a-da55a4175157"
  }
}

Creating a Security Group Using oapi-cli

This tag must be added to your Net before creating Subnets into it.
The value of this tag is not taken into account, you can therefore specify any value for this tag.

For more information, see About Security Groups.

Request sample

$ oapi-cli --profile "default" CreateSecurityGroup \
    --NetId "vpc-12345678" \
    --SecurityGroupName "security-group-example" \
    --Description "Security group example"

This command contains the following attributes that you need to specify:

Description: A description for the security group.
This description can contain between 1 and 255 characters. Allowed characters are a-z, A-Z, 0-9, accented letters, spaces, and _.-:/()#,@[]+=&;{}!$*.
DryRun: (optional) If true, checks whether you have the required permissions to perform the action.
NetId: (optional) The ID of the Net for the security group.
SecurityGroupName: The name of the security group.
This name must not start with sg-.
This name must be unique and contain between 1 and 255 characters. Allowed characters are a-z, A-Z, 0-9, spaces, and _.-:/()#,@[]+=&;{}!$*.

The CreateSecurityGroup command returns the following elements:

ResponseContext: Information about the context of the response.
- RequestId: The ID of the request.
SecurityGroup: Information about the security group.
- AccountId: The account ID that has been granted permission.
- Description: The description of the security group.
- InboundRules: The inbound rules associated with the security group.
  - FromPortRange: The beginning of the port range for the TCP and UDP protocols, or an ICMP type number.
  - IpProtocol: The IP protocol name (tcp, udp, icmp, or -1 for all protocols). By default, -1. In a Net, this can also be an IP protocol number. For more information, see the IANA.org website.
  - IpRanges: One or more IP ranges for the security group rules, in CIDR notation (for example, 10.0.0.0/16).
  - SecurityGroupsMembers: Information about one or more source or destination security groups.
    
    AccountId: The account ID that owns the source or destination security group.
    
    SecurityGroupId: The ID of a source or destination security group that you want to link to the security group of the rule.
    
    SecurityGroupName: (Public Cloud only) The name of a source or destination security group that you want to link to the security group of the rule.
  - ServiceIds: One or more service IDs to allow traffic from a Net to access the corresponding OUTSCALE services. For more information, see ReadNetAccessPointServices.
  - ToPortRange: The end of the port range for the TCP and UDP protocols, or an ICMP code number.
- NetId: The ID of the Net for the security group.
- OutboundRules: The outbound rules associated with the security group.
  - FromPortRange: The beginning of the port range for the TCP and UDP protocols, or an ICMP type number.
  - IpProtocol: The IP protocol name (tcp, udp, icmp, or -1 for all protocols). By default, -1. In a Net, this can also be an IP protocol number. For more information, see the IANA.org website.
  - IpRanges: One or more IP ranges for the security group rules, in CIDR notation (for example, 10.0.0.0/16).
  - SecurityGroupsMembers: Information about one or more source or destination security groups.
    
    AccountId: The account ID that owns the source or destination security group.
    
    SecurityGroupId: The ID of a source or destination security group that you want to link to the security group of the rule.
    
    SecurityGroupName: (Public Cloud only) The name of a source or destination security group that you want to link to the security group of the rule.
  - ServiceIds: One or more service IDs to allow traffic from a Net to access the corresponding OUTSCALE services. For more information, see ReadNetAccessPointServices.
  - ToPortRange: The end of the port range for the TCP and UDP protocols, or an ICMP code number.
- SecurityGroupId: The ID of the security group.
- SecurityGroupName: The name of the security group.
- Tags: One or more tags associated with the security group.
  - Key: The key of the tag, with a minimum of 1 character.
  - Value: The value of the tag, between 0 and 255 characters.

Result sample

{
  "SecurityGroup": {
    "Tags": [],
    "SecurityGroupName": "security-group-example",
    "OutboundRules": [
      {
        "FromPortRange": -1,
        "IpProtocol": "-1",
        "ToPortRange": -1,
        "IpRanges": [
          "0.0.0.0/0"
        ]
      }
    ],
    "SecurityGroupId": "sg-12345678",
    "AccountId": "123456789012",
    "Description": "Example of security group",
    "InboundRules": [],
    "NetId": "vpc-12345678"
  },
  "ResponseContext": {
    "RequestId": "0475ca1e-d0c5-441d-712a-da55a4175157"
  }
}

Creating a Security Group Using AWS CLI

Before you begin:

Install and configure AWS CLI. For more information, see Installing and Configuring AWS CLI.
(optional) To disable the network enhancement allowing VMs of a same Subnet to communicate with one another without security group rules required, add a tag to your Net with osc.fcu.enable_lan_security_groups as key. For more information about how to add a tag, see Adding or Removing Tags. For more information about this network enhancement, see About Nets > Subnet Routing and Security.
This tag must be added to your Net before creating Subnets into it.

The value of this tag is not taken into account, you can therefore specify any value for this tag.

To create a security group, use the create-security-group command following this syntax:

Request sample

$ aws ec2 create-security-group \
    --profile YOUR_PROFILE \
    --group-name my-security-group \
    --description SECURITY_GROUP_DESCRIPTION \
    --vpc-id vpc-12345678 \
    --endpoint https://fcu.eu-west-2.outscale.com

This command contains the following options that you need to specify:

(optional) profile: The named profile you want to use, created when configuring AWS CLI. For more information, see Installing and Configuring AWS CLI.
group-name: A unique name for the security group.

description: A description of the security group.

The name must be unique in your account for the public Cloud or for each VPC.
The name of the security group must not start with sg-.
Each name and description can contain between 1 and 255 characters. Allowed characters are a-z, A-Z, 0-9, spaces, and _.-:/()#,@[]+=&;{}!$*.

(optional) vpc-id: The ID of the VPC you want to create the security group for.

This option is required when creating a security group for a VPC.
endpoint: The endpoint corresponding to the Region you want to send the request to. For more information, see Installing and Configuring AWS CLI.

The create-security-group command returns the following element:

GroupId: The ID of the newly created security group.

Result sample

{
    "GroupId": "sg-12345678"
}

The security group is created.

Related Pages

Corresponding API Methods

AWS™ and Amazon Web Services™ are trademarks of Amazon Technologies, Inc or its affiliates in the United States and/or other countries.