Security Groups

Security groups control network traffic to and from your VMs. Each security group contains one or more rules that specify which traffic is allowed. For example, a rule might allow all TCP traffic from a specific CIDR range, or UDP traffic from VMs in another security group.

Security groups use a default-deny model: any traffic not explicitly allowed by a rule is blocked. For example, if a security group has no rule allowing ICMP traffic, VMs in that group won't respond to ping.

How security groups work

A VM can belong to multiple security groups, and each security group can contain multiple VMs. When a VM belongs to multiple security groups, traffic is allowed if it matches any rule from any of the VM's security groups (union of all rules). You can add VMs to security groups when creating them or afterward. Changes to security group membership take effect immediately without requiring a VM restart.

VMs without explicitly assigned security groups will not have connectivity. To allow VMs to communicate with each other, create a custom security group with appropriate rules.

To allow inbound internet traffic to a VM with a Public IP, create custom security groups with rules that permit the desired traffic. Once you assign custom security groups to a VM, the default security group no longer applies.

Security group rules

Security group rules allow you to control traffic based on:

  • Direction (ingress or egress)
  • Protocol ("TCP", "UDP", "ICMP", or "All")
  • Port or port range (e.g. 80, 443, or 1000-1100)
    • Ports and port-range are only supported if the Protocol is "TCP" or "UDP" and are explicitly disallowed if the protocol is "All" or "ICMP".
  • The traffic's origin or destination (see below)

A security group can have a maximum of 50 rules on it.

Filtering by source or destination

Each rule specifies a remote that defines the source (for ingress rules) or destination (for egress rules) of allowed traffic. You can filter traffic using one of three methods:

IP address or CIDR block: Allow traffic to or from a specific IP address or range. Use 0.0.0.0/0 to allow traffic from any IPv4 address, or ::/0 to allow traffic from any IPv6 address.

remote:
  address:
    ipAddressOrCIDR: 10.0.0.0/24

A rule that specifies an IPv4 CIDR only applies to IPv4 traffic, and a rule that specifies an IPv6 CIDR only applies to IPv6 traffic. If you need to allow the same traffic for both protocols, create separate rules.

Security group reference: Allow traffic to or from VMs that belong to a specific security group. This is useful for rules that should apply regardless of the VMs' IP addresses, such as allowing communication between application tiers.

remote:
  securityGroupRef:
    name: app-tier-sg

Subnet reference: Allow traffic to or from all addresses in a specific subnet. This is useful when you want to permit traffic based on network topology rather than individual IP addresses or security group membership.

remote:
  subnetRef:
    name: backend-subnet

Additional considerations

  • Security groups are stateful - they automatically allow return traffic for any connection allowed by a rule
  • Traffic between VMs in the same security group isn't allowed by default. Add explicit rules to allow VM-to-VM communication within a security group

Default security groups

Each project is created with four preconfigured security groups:

default-allow-egress

  • Allows all outbound traffic from VMs to the internet (both IPv4 and IPv6)

VMs are automatically added to this security group unless you specify different security groups when creating the VM. This group doesn't allow VMs to communicate with each other.

default-allow-intra-vpc

  • Allows all inbound and outbound traffic from IP addresses which are part of the default VPC.

This group allows general inter-VM communication for VMs which are attached to Subnets within the default VPC.

default-allow-web-protocols

  • Allows HTTP traffic (TCP port 80) from any IP address
  • Allows HTTPS traffic (TCP port 443) from any IP address

Rules cover both IPv4 and IPv6 traffic. Add VMs to this group if they serve web traffic and need to accept HTTP/HTTPS connections from the internet. This group doesn't allow general inter-VM communication—to allow VMs to communicate with each other, create a custom security group with appropriate rules.

default-allow-ssh

  • Allows SSH access (port 22) from any IP address

Rules cover both IPv4 and IPv6 traffic. This security group provides a convenient way to enable SSH access without creating custom rules. It must be explicitly added to VMs that need SSH access from the internet. You can add it when creating a VM or update an existing VM to include it.

Note: In API versions prior to v1beta2, the default-allow-egress Security Group must exist, as it is automatically applied to VMs when no other security groups are specified. If you need to recover this security group, see the security group guide.

Protocol support

The evroc compute service supports all IP-based protocols, including "IP in IP" and "SCTP". To allow these protocols, use the protocol type "All" in your security group rules.

This is particularly important for overlay networks like Calico that use IP-in-IP encapsulation. If your security group rules only allow TCP and UDP, IP-in-IP traffic will be blocked.

Next steps