Security Group Functions

Security group functions allow you to define and configure groups of rule settings in order to perform packet filtering on ports that are connected to virtual servers.

You can set multiple rules in a security group. Packets that match one of the rules in a security group that is set on a port are allowed, and all other packets are blocked. (whitelist method, OR condition)

Note: You cannot set a security group on a port of a virtual router or a DHCP server.

Creating a Security Group

The default security group, which automatically blocks communication, is set on the port. Create a security group and configure rules that allow communication as necessary.

To create a security group, specify the following items.

Table 1. List of Security Group Settings
Item Description Required
Security Group Name Specify a name that identifies the security group.  
Description Enter a description of the security group to be created.  

Default Rules

The default rules when a security group is created are shown below.

Table 2. Default Rules When a Security Group Is Created
Direction Communication Partner Protocol IP Version
Outbound (Egress) All All IPv4
Outbound (Egress) All All IPv6

Creating a Rule

Rules for performing packet filtering consist of the following items. You can register multiple rules in a single security group.

Tip: For communication between virtual servers where both can use the security group functions, in general we recommend using the security group ID to specify the communication partner.

To create a rule, specify the following items.

Table 3. List of Security Group Rule Settings
Item Description Required
Security Group ID Specify the ID of the security group in which you will register the rule. Yes
Communication Direction Specify either inbound (Ingress) or outbound (Egress). Yes
IP Version Specify IPv4.  
Communication Partner

For inbound, specify the sender. For outbound, specify the destination. Use either of the following:

  • IP address in CIDR notation

  • Security group

    Note:

    When a security group is specified, the following is set for the communication partner.

    • The IP address that is set for the specified security group

      However, when "Allowed Address Pairs" are configured for a port, the IP addresses specified as the address pair are also set as the communication partner.

  
Protocol Information

Specify one of the following:

  • tcp
  • udp
  • icmp
 Yes
Starting Port No.

Specify the starting port number that is appropriate for the protocol information.

Tip: If you want to use a single port, specify the same value for the starting port number and the ending port number.
Warning: If you specify 0 for the starting port number, communication will be allowed on all ports. Therefore, do not specify 0.
  
Ending Port No. Specify the ending port number that is appropriate for the protocol information.  
Availability Zone Name Specify the availability zone where rules will be created. If this setting is omitted, the default availability zone will be used.  

Figure: Example of Configuring Security Group Rules

Default Security Group

If you omit security group settings when creating a port, the default security group created in the project will be set automatically.

Tip: The security group name for the default security group is "default."

The initial rule settings for the default security group are shown below.

Tip: You can add rules to the default security group.
Table 4. Default Security Group Rules
Direction Communication Partner Protocol IP Version
Egress All All IPv4
Ingress Own security group All IPv4