Security Groups (SGs) act as the primary firewall for all zCompute resources. A default security group can be created with each VM instance you launch or any number of custom SGs can be defined. You can also create SGs from the Security Group menu of the zCompute web console and assign them to virtual interfaces.
When SGs are assigned to an interface or modifications made to existing SGs, those changes will immediately apply to all interfaces which have that interface assigned to it.
Creating a Security Group
There are three primary ways to create SGs from the web console: when creating a new instance, from the Networks tab of an existing instance, and from the Security Groups menu.
In each case, you'll be presented with the same window:
From this screen you must give the SG a name, select which VPC this SG should be assigned to, and use the Add button to add one or more rules.
Security Group Rules
A virtual interface will block all traffic that does not match any rules from any associated security groups. Therefore SGs act as a passlist and when multiple are attached to a single interface they are aggregated into a single passlist. These rules are applied after the Source/Destination Check for a given interface.
Each rule can be configured to match based on the following variables:
- IP version
- IPv4
- IPv6
- Traffic direction
- Ingress
- Egress
- Protocol
- Any
- ICMP
- TCP
- UDP
- Start port and End port (for TCP and UDP)
- Type and Code (for ICMP)
- Host
- Any
- ingress, matches packets from any source
- for egress, matches packets to any destination
- Group
- ingress, matches packets from zCompute virtual interfaces which have the specified Security Group attached
- for egress, matches packets to zCompute virtual interfaces which have the specified Security Group attached
- Subnet
- ingress, matches packets from the specified subnet/host
- for egress, matches packets to the specified subnet/host
- Any
Editing a Security Group
Security groups can be reviewed by clicking on them from the Security Group menu or by clicking on them from the Networks tab of a VM Instance.
From there you will be presented with the option to edit, detach, or delete the SG.