What is Security Group?

A security group provides security control services for VM instances on the L3 network. It filters the ingress or egress TCP, UDP, and ICMP packets of specified VM instances in specified networks based on the specified security rules.

Characteristics

  • A security group rule can be categorized into the following two types based on the packet flow direction:
    • Ingress: indicates data packets that flow into a VM instance.
    • Egress: indicates data packets that are sent from a VM instance.
  • Security group rules support the following communication protocols:
    • ALL: indicates all types of protocols. If you select ALL, you cannot specify a port.
    • TCP: allows you to specify a port that ranges from 1 to 65535.
    • UDP: allows you to specify a port that ranges from 1 to 65535.
    • ICMP: start port and end port defaulted to -1. This protocol indicates all ICMP messages are supported.
  • You can specify data sources in a security group rule to limit data access:
    • If you specify a CIDR block, only the ingress data from the CIDR block or egress data to the CIDR block is allowed.
    • If you specify a security group, only the ingress data from the security group or egress data to the security group is allowed.
    Note: If you specify both a CIDR block and a security group, only the ingress data from the intersection of the security group and CIDR block or egress data to the intersection of the security group and CIDR block is allowed.
Figure 1. Security Group


Considerations

  • You can assign a security group to one or more VM instances. These VM instances share the same security group rules.
  • You can associate a security group with one or more L3 networks. These L3 networks share the same security group rules.
  • Security groups apply the whitelist mechanism. Only the traffic that follows the created rules is allowed to reach the specified ports.
  • When you create a security group, the system automatically configures two rules (an ingress rule and an egress rule whose protocol types are both ALL) for communications of VM instances in the security group. You can delete these two default rules to cancel the intra-group communication.
  • When you create a security group, if you do not set a rule, ingress traffic is not allowed to access VM instances in the security group. However, egress traffic from VM instances in the security group is allowed.
  • If you use a security group along with other network services, such as load balancing and vRouter table, make sure that the security group rules required by these network services are added to the security group.
  • Public networks, flat networks, and VPC networks support the security group service. It is provided by the security group network service module, which uses iptables to implement security control.
  • A security group is a distributed firewall. Each security rule change, NIC association or disassociation will cause the security group rule to be updated on all associated VM instances.