Security Groups

Security groups control network traffic to and from your VMs. Each security group contains one or more rules that specify which traffic is allowed. For example, a rule might allow all TCP traffic from a specific CIDR range, or UDP traffic from VMs in another security group.

Security groups use a default-deny model: any traffic not explicitly allowed by a rule is blocked. For example, if a security group has no rule allowing ICMP traffic, VMs in that group won't respond to ping.

How security groups work

A VM can belong to multiple security groups, and each security group can contain multiple VMs. When a VM belongs to multiple security groups, traffic is allowed if it matches any rule from any of the VM's security groups (union of all rules). You can add VMs to security groups when creating them or afterward. Changes to security group membership take effect immediately without requiring a VM restart.

VMs without explicitly assigned security groups are automatically added to default-allow-egress, which allows all outbound traffic but blocks all inbound traffic. To allow VMs to communicate with each other, create a custom security group with appropriate rules.

To allow inbound internet traffic to a VM with a Public IP, create custom security groups with rules that permit the desired traffic. Once you assign custom security groups to a VM, the default security group no longer applies.

Security group rules

Security group rules allow you to control traffic based on:

  • Direction (ingress or egress)
  • Protocol ("TCP", "UDP", "ICMP", or "All")
  • Port or port range (e.g. 80, 443, or 1000-1100)
    • Ports and port-range are only supported if the Protocol is "TCP" or "UDP" and are explicitly disallowed if the protocol is "All" or "ICMP".
  • The traffic's origin or destination (see below)

Filtering by source or destination

Each rule specifies a remote that defines the source (for ingress rules) or destination (for egress rules) of allowed traffic. You can filter traffic using one of three methods:

IP address or CIDR block: Allow traffic to or from a specific IP address or range. Use 0.0.0.0/0 to allow traffic from any address.

remote:
  address:
    IPAddressOrCIDR: 10.0.0.0/24

Security group reference: Allow traffic to or from VMs that belong to a specific security group. This is useful for rules that should apply regardless of the VMs' IP addresses, such as allowing communication between application tiers.

remote:
  securityGroupRef:
    name: app-tier-sg

Subnet reference: Allow traffic to or from all addresses in a specific subnet. This is useful when you want to permit traffic based on network topology rather than individual IP addresses or security group membership.

remote:
  subnetRef:
    name: backend-subnet

Additional considerations

  • Security groups are stateful - they automatically allow return traffic for any connection allowed by a rule
  • Traffic between VMs in the same security group isn't allowed by default. Add explicit rules to allow VM-to-VM communication within a security group

Default security groups

Each project includes three preconfigured security groups:

default-allow-egress (VMs may join automatically)

  • Allows all outbound traffic from VMs to the internet
  • Blocks all inbound traffic from external sources

VMs are automatically added to this security group unless you specify different security groups when creating the VM. This group doesn't allow VMs to communicate with each other.

default-allow-web-protocols (VMs must join explicitly)

  • Allows HTTP traffic (TCP port 80) from any IP address
  • Allows HTTPS traffic (TCP port 443) from any IP address

Add VMs to this group if they serve web traffic and need to accept HTTP/HTTPS connections from the internet. This group doesn't allow general inter-VM communication—to allow VMs to communicate with each other, create a custom security group with appropriate rules.

default-allow-ssh (VMs must join explicitly)

  • Allows SSH access (port 22) from any IP address (0.0.0.0/0)

This security group provides a convenient way to enable SSH access without creating custom rules. It must be explicitly added to VMs that need SSH access from the internet. You can add it when creating a VM or update an existing VM to include it.

Protocol support

The evroc compute service supports all IP-based protocols, including "IP in IP" and "SCTP". To allow these protocols, use the protocol type "All" in your security group rules.

This is particularly important for overlay networks like Calico that use IP-in-IP encapsulation. If your security group rules only allow TCP and UDP, IP-in-IP traffic will be blocked.

Next steps