Yandex Cloud
Search
Contact UsGet started
  • Blog
  • Pricing
  • Documentation
  • All Services
  • System Status
    • Featured
    • Infrastructure & Network
    • Data Platform
    • Containers
    • Developer tools
    • Serverless
    • Security
    • Monitoring & Resources
    • ML & AI
    • Business tools
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Customer Stories
    • Gateway to Russia
    • Cloud for Startups
    • Education and Science
  • Blog
  • Pricing
  • Documentation
Yandex project
© 2025 Yandex.Cloud LLC
Yandex Virtual Private Cloud
  • Getting started
    • All guides
      • Creating a security group
      • Changing the name and description
      • Adding a new rule
      • Getting information about a security group
      • Deleting a rule
      • Moving a security group between folders
      • Deleting a security group
    • Enabling a software-accelerated network
    • Chart of network connections
    • Viewing operations with resources
  • DDoS Protection
  • Access management
  • Terraform reference
  • Audit Trails events
  • Release notes
  • FAQ
  1. Step-by-step guides
  2. Security groups
  3. Adding a new rule

Adding a new rule to a security group

Written by
Yandex Cloud
Improved by
Basil K.
Updated at April 22, 2025

You do not need to restart a VM when adding or deleting rules. The rules are applied to all the resources associated with a group at the same time.

Management console
CLI
Terraform
API

To add a rule:

  1. In the management console, go to the folder where you need to change the security group.

  2. In the list of services, select Virtual Private Cloud.

  3. In the left-hand panel, select Security groups.

  4. Click in the row of the security group you need to add a rule to. Select Edit.

  5. Under Rules, create traffic management rules:

    1. Select the Egress or Ingress tab.

    2. Click Add.

    3. In the Port range field of the window that opens, specify a single port or a port range for traffic to come to or from.

    4. In the Protocol field, specify the appropriate protocol or keep Any to allow traffic transmission over any protocol.

    5. In the Destination name or Source field, select the purpose of the rule:

      • CIDR: Rule will apply to the range of IP addresses. In the CIDR blocks field, specify the CIDR and subnet masks that traffic will come to or from. To add multiple CIDRs, click Add.

      • Security group. Select one of the following:

        • Current: Rule will apply to the VMs from the current group.
        • From list: Rule will apply to the VMs from the selected group. Make sure that source and destination IP addresses used for traffic exchange are from private ranges. For more information, see Concepts.
      • Load balancer healthchecks: Rule that allows checking the health of resources from Network Load Balancer or Application Load Balancer.

  6. Click Save.

  7. Click Save once again.

To add a rule to an existing group:

  1. Get the name or ID of the group to edit:

    yc vpc security-groups list
    

    Result:

    +----------------------+---------------------------------+------------------------------------+----------------------+
    |          ID          |              NAME               |          DESCRIPTION               |      NETWORK-ID      |
    +----------------------+---------------------------------+------------------------------------+----------------------+
    | enp9bmjge93b******** | default-sg-enp509crtquf******** | Default security group for network | enp509crtquf******** |
    | enp9rs9u4h6j******** | sg-1                            |                                    | enp509crtquf******** |
    | enp9d8m73d1c******** | sg-2                            |                                    | enp509crtquf******** |
    +----------------------+---------------------------------+------------------------------------+----------------------+
    
  2. Add a rule using the update-rules command and the --add-rule parameter:

    yc vpc security-group update-rules <group_name_or_ID> --add-rule "direction=ingress,port=443,protocol=tcp,v4-cidrs=[10.0.0.0/24,10.10.0.0/24]"
    

    Result:

    done (12s)
    id: enp9rs9i4h9j********
    folder_id: b1gau98l79li********
    created_at: "2022-06-24T15:46:31Z"
    name: sg-1
    network_id: enp559cr9q9f********
    status: ACTIVE
    rules:
      - id: enp68o6cdi87********
        direction: INGRESS
        ports:
          from_port: "443"
          to_port: "443"
        protocol_name: TCP
        protocol_number: "6"
        cidr_blocks:
          v4_cidr_blocks:
            - 10.0.0.0/24
            - 10.10.0.0/24
         ...
    

    Note

    You can use predefined=self_security_group to apply the rule to the VMs inside the security group you are updating.

    For more information about the Self rule, see the types of security group rules.

    To learn about the --add-rule parameter, run the yc vpc security-group update-rules --help command.

If you do not have Terraform yet, install it and configure its Yandex Cloud provider.

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the documentation on the Terraform website or mirror website.

  1. Open the Terraform configuration file and add the ingress or egress section to the security group description:

    ...
    resource "yandex_vpc_security_group" "test-sg" {
      name        = "Test security group"
      description = "Description for security group"
      network_id  = "${yandex_vpc_network.lab-net.id}"
    
      ingress {
        protocol       = "TCP"
        description    = "Rule description 1"
        v4_cidr_blocks = ["10.0.1.0/24", "10.0.2.0/24"]
        port           = 8080
      }
    
      egress {
        protocol       = "ANY"
        description    = "Rule description 2"
        v4_cidr_blocks = ["10.0.1.0/24", "10.0.2.0/24"]
        from_port      = 8090
        to_port        = 8099
      }
      
      egress {
        protocol       = "UDP"
        description    = "rule3 description"
        v4_cidr_blocks = ["10.0.1.0/24"]
        from_port      = 8090
        to_port        = 8099
      }
    }
    ...
    

    For more information about the yandex_vpc_security_group resource parameters in Terraform, see the provider documentation.

  2. Check the configuration using this command:

    terraform validate
    

    If the configuration is correct, you will get this message:

    Success! The configuration is valid.
    
  3. Run this command:

    terraform plan
    

    The terminal will display a list of resources with their parameters. No changes will be made at this step. If the configuration contains any errors, Terraform will point them out.

  4. Apply the configuration changes:

    terraform apply
    
  5. Confirm the changes: type yes into the terminal and press Enter.

    You can check the security group update using the management console or this CLI command:

    yc vpc security-group get <security_group_name>
    

Adding a new rule using the yandex_vpc_security_group_rule resourceAdding a new rule using the yandex_vpc_security_group_rule resource

You can also add a new rule to an existing security group using the yandex_vpc_security_group_rule resource.

Warning

Both methods provide the same result but they are incompatible: concurrent use of the yandex_vpc_security_group_rule and yandex_vpc_security_group resources will cause a configuration rule conflict.

  1. In the configuration file, describe the following parameters:

    • security_group_binding: Security group ID.
    • direction: Incoming or outgoing traffic. The possible values are ingress or egress.
    • description: Rule description.
    • v4_cidr_blocks: List of CIDRs and masks of subnets the traffic will come to or from.
    • port: Traffic port.
    • from_port: First port in the traffic port range.
    • to_port: Last port in the traffic port range.
    • protocol: Traffic transmission protocol. The possible values are TCP, UDP, ICMP, or ANY.
    ...
    resource "yandex_vpc_security_group_rule" "rule1" {
      security_group_binding = <security_group_ID>
      direction              = "ingress"
      description            = "<rule_description>"
      v4_cidr_blocks         = ["10.0.1.0/24", "10.0.2.0/24"]
      port                   = 8080
      protocol               = "TCP"
    }
    
    resource "yandex_vpc_security_group_rule" "rule2" {
      security_group_binding = yandex_vpc_security_group.group1.id
      direction              = "egress"
      description            = "rule2 description"
      v4_cidr_blocks         = ["10.0.1.0/24"]
      from_port              = 8090
      to_port                = 8099
      protocol               = "UDP"
    }
    ...
    

    For more information about the yandex_vpc_security_group_rule resource parameters in Terraform, see the provider documentation.

  2. Check the configuration using this command:

    terraform validate
    

    If the configuration is correct, you will get this message:

    Success! The configuration is valid.
    
  3. Run this command:

    terraform plan
    

    The terminal will display a list of resources with their parameters. No changes will be made at this step. If the configuration contains any errors, Terraform will point them out.

  4. Apply the configuration changes:

    terraform apply
    
  5. Confirm the changes: type yes into the terminal and press Enter.

    You can check the security group update using the management console or this CLI command:

    yc vpc security-group get <security_group_name>
    

To add a rule, use the updateRules REST API method for the SecurityGroup resource or the SecurityGroupService/UpdateRules gRPC API call, and provide the following in the request:

  • ID of the security group you want to add rules to, in the securityGroupId parameter.

    To get the security group ID, use the list REST API method for the SecurityGroup resource or the SecurityGroupService/List gRPC API call and provide the folder ID in the folderId request parameter.

    To learn how to find out the folder ID, see Getting the folder ID.

  • New security group rules, in the additionRuleSpecs[] array:

    • Traffic direction for which the rule is created, in the additionRuleSpecs[].direction parameter. The possible values are:

      • ingress: Incoming traffic.
      • egress: Outgoing traffic.
    • Name of the traffic transmission protocol, in the additionRuleSpecs[].protocolName parameter. The possible values are tcp, udp, icmp, esp, ah, or any.

    • List of CIDRs and masks of subnets the traffic will come to or from, in the additionRuleSpecs[].cidrBlocks.v4CidrBlocks[] parameter. If you set the rule for the traffic to a security group, provide the security group ID in the additionRuleSpecs[].securityGroupId parameter instead.

    • First port in the traffic port range, in the additionRuleSpecs[].ports.fromPort parameter. The values range from 0 to 65535.

    • Last port in the traffic port range, in the additionRuleSpecs[].ports.toPort parameter. The values range from 0 to 65535.

Was the article helpful?

Previous
Changing the name and description
Next
Getting information about a security group
Yandex project
© 2025 Yandex.Cloud LLC