Configure security groups

This guide shows you how to create and manage security groups and their rules using the evroc CLI.

For information about security groups and how they work, see Security Groups.

Prerequisites

Access to an evroc organization and project
evroc CLI installed and configured

Using default security groups for SSH access

Each project includes a default-allow-ssh security group that allows SSH access from any IP address. This provides a convenient way to enable SSH access without creating custom rules.

Add this security group to a VM when creating it or via update:

evroc compute virtualmachine update myvm --append --security-group=default-allow-ssh

Note: Without the --append flag, the update command replaces all existing security groups. Use --append to add a security group while keeping the existing ones.

For more information about default security groups, see Security Groups.

Create a security group

Create a security group to control network traffic to and from your virtual machines:

evroc networking securitygroup create my-sg

See Create a Security Group in the API reference.

Add a rule to a security group

Add rules to allow or restrict specific network traffic.

Add an ingress rule to allow SSH access from anywhere:

evroc networking securitygroup addrule my-sg \
  --name=allow-ssh-from-anywhere \
  --direction=Ingress \
  --remote-ip=0.0.0.0/0 \
  --port=22 \
  --protocol=TCP

Add an ingress rule to allow HTTPS access from a specific CIDR range:

evroc networking securitygroup addrule my-sg \
  --name=allow-https-from-office \
  --direction=Ingress \
  --remote-ip=203.0.113.0/24 \
  --port=443 \
  --protocol=TCP

Attach a security group to a VM

Add a virtual machine to a security group to apply the group's rules to the VM's network traffic.

When updating a VM's security groups, you must specify the complete list of security groups the VM should belong to. For example, if a VM is in default-allow-egress and allow-https, and you want to add allow-ssh, specify all three groups:

evroc compute virtualmachine update myvm \
  --security-group=default-allow-egress \
  --security-group=allow-https \
  --security-group=allow-ssh

Remove a rule from a security group

Remove a rule by name:

evroc networking securitygroup removerule my-sg --name=allow-ssh-from-anywhere

List security groups

List all security groups in your project:

evroc networking securitygroup list

Use evroc networking securitygroup get <name> for detailed information about a specific security group.

See List Security Groups in the API reference.

Delete a security group

Delete security groups you no longer need. A security group must not be attached to any virtual machines before you can delete it.

evroc networking securitygroup delete my-sg

See Delete a Security Group in the API reference.

Next steps

Learn about Public IPs for enabling inbound internet access
See how to create a virtual machine with security groups

evroc User Documentation