Security groups
A security group is the main mechanism for access control in Yandex Cloud.
Note
Currently, you can only use IPv4 in Yandex Cloud networks. IPv6 is not supported, so security groups can only work with IPv4 traffic.
A security group (SG) is a resource created at the cloud network level. Once created, a security group can be used in Yandex Cloud services to control network access to an object it applies to.
A default security group (DSG) is created automatically while creating a new cloud network. The default security group has the following properties:
- It will allow any network traffic, both egress and ingress, in the new cloud network.
- It applies to traffic passing through all subnets in the network where the DSG is created.
- It is only used if no security group is explicitly assigned to the object yet.
- You cannot delete the DSG: it is deleted automatically when deleting the network.
You can combine security groups by assigning up to five groups per object.
Alert
Security groups are not designed to protect against DDoS attacks.
To filter out large volumes of unsolicited network traffic, use Yandex DDoS Protection.
Scope of use for security groups
Security groups can be used in the following Yandex Cloud service objects:
Note
For more information about using security groups in a specific Yandex Cloud service, see the relevant documentation.
Security group structure
Security groups consist of a list of rules. A security group with no rules blocks any network traffic between objects it applies to. This happens because the list of security group rules always implicitly ends with the "prohibit all" rule.
Security group rules for ingress and egress traffic are set separately. One group may have up to 50 rules in total for ingress and egress traffic.
A new rule is always added at the end of the list. You cannot add a new rule to a specific position in the list in-between existing rules.
Description of security group rules
Each rule in a security group has a fixed set of fields:
| Parameter | Description |
|---|---|
| Description | Brief description of the rule. You can also describe metadata in this field. |
| Protocol | Specifies the network protocol to be used for this rule. You can use the following protocols for security group rules:
|
| Port range | Range of ports for the network protocol selected in the rule. You can only specify a continuous port range. You cannot list arbitrary comma-separated ports. |
| Source For incoming traffic only |
Traffic source IP addresses. You can use the following methods to specify traffic source IP adresses:
|
| Target For outgoing traffic only |
Traffic target IP addresses. You can use the following methods to specify traffic target IP addresses:
|
Self rule
A special security group named Self can act as a traffic source or target in a security group rule. It includes all IP addresses of objects this group will be applied to.
For example, you can create a vm_group_sg security group and describe it in Terraform as follows:
resource yandex_vpc_security_group vm_group_sg {
...
ingress {
protocol = "ANY"
description = "Allow incoming traffic from members of the same security group"
from_port = 0
to_port = 65535
predefined_target = "self_security_group"
}
egress {
protocol = "ANY"
description = "Allow outgoing traffic to members of the same security group"
from_port = 0
to_port = 65535
predefined_target = "self_security_group"
}
}
Now, if you apply the vm_group_sg group to the network interfaces of two VMs connected to the same network, these VMs will be able to exchange traffic with no port restrictions. If you apply the same group to a third VM on the same network, all three of them will be able to exchange traffic.
Alert
Note that the Self rule only affects traffic going directly through the VM network interface that the security group is applied to.
In the case of a VM with a public IP address, the Self rule does not apply to egress traffic to the internet that goes through this network interface in the one-to-one NAT direction.
Rule with a link to a security group
Security group rules allow you to use other security groups in the Source or Destination field.
Such rules will allow networking with the IP addresses of resources (VM interfaces) to which this security group already applies.
So you can refer to different types of objects in rules, such as:
- Managed Service for Kubernetes cluster worker nodes
- Managed DB cluster hosts
- VM instances in instance groups
Using reference rules in security groups helps maintain the consistency of network access rules during autoscaling of cloud resources.
Here is an example of a service that consists of two components:
- Instance group with web servers behind a load balancer
- Managed Service for PostgreSQL cluster
It is necessary to enable access from the DB cluster to a group of web servers the number of which may vary depending on the load.
To do this, create two security groups:
web-sg: For the group of web serversdb-sg: For the Managed Service for PostgreSQL cluster
resource "yandex_vpc_security_group" "web_sg" {
name = "web-sg"
...
ingress {
description = "Allow HTTPS"
protocol = "TCP"
port = 443
}
ingress {
description = "Allow HTTP"
protocol = "TCP"
port = 80
}
egress {
description = "Permit ANY"
protocol = "ANY"
v4_cidr_blocks = ["0.0.0.0/0"]
}
...
}
resource "yandex_vpc_security_group" "db_sg" {
name = "db-sg"
...
ingress {
description = "Permit DB access to Web VM's"
protocol = "TCP"
port = 6432
security_group_id = [ yandex_vpc_security_group.web_sg.id ]
}
}
When new servers are added to the group, security group rules will automatically apply to them.
Security group specifics
Traffic direction
Security group rules describe ingress and egress traffic separately.
Stateful connections
The state of network connections in security groups is tracked. If security group rules allow network traffic in one direction, it is not required to allow the reverse traffic.
Connection lifetime
Security groups automatically terminate idle TCP connections in 180 seconds. We do not recommend using session timeouts in applications for a longer period of time. See more about limits here.
Using security groups in rules
Rules may use existing security groups as traffic sources and targets.
Using multiple security groups
If multiple security groups apply to one object at the same time, their rules will be combined into a single list. Network traffic will be allowed if it matches a rule in at least one of the groups. If not, traffic will be prohibited.
Security groups and Network Load Balancer
Please keep in mind that you cannot apply security groups to a network load balancer's traffic listener. For target group VMs hosted behind a load balancer, security groups can be applied to the VM network interfaces. Security groups of these VMs must include the Health Checks rule to allow health check traffic from the load balancer.
Security groups and services for DNS and VM metadata
For consistent and reliable operation of network services, you must explicitly allow the following network traffic in the outgoing rules of security groups:
- Requests to the VM metadata service at the
169.254.169.254IP address over HTTP(tcp/80). - Requests to the DNS service towards the second IP address in the subnet over DNS
(udp/53).
Security groups and Managed Service for Kubernetes
To avoid network connectivity issues when deploying and using Managed Service for Kubernetes clusters, carefully follow this guide.
Security groups and Application Load Balancer tools for Managed Service for Kubernetes
For proper operation of the ingress controller or Gateway API, configure security groups for the Managed Service for Kubernetes cluster and node groups, and for the Application Load Balancer L7 load balancer. For more information, see this guide.
Alert
Yandex Cloud supports automatic filtering of egress SMTP traffic.
Sample descriptions of security group rules
VM with a web server
resource yandex_vpc_security_group vm_group_sg {
...
ingress {
description = "Allow HTTP protocol from local subnets"
protocol = "TCP"
port = 80
v4_cidr_blocks = ["192.168.10.0/24", "192.168.20.0/24"]
}
ingress {
description = "Allow HTTPS protocol from local subnets"
protocol = "TCP"
port = 443
v4_cidr_blocks = ["192.168.10.0/24", "192.168.20.0/24"]
}
egress {
description = "Permit ANY"
protocol = "ANY"
v4_cidr_blocks = ["0.0.0.0/0"]
}
}
VM behind a network load balancer
resource yandex_vpc_security_group vm_group_sg {
...
ingress {
description = "Allow HTTP protocol from local subnets"
protocol = "TCP"
port = "80"
v4_cidr_blocks = ["192.168.10.0/24", "192.168.20.0/24"]
}
ingress {
description = "Allow HTTPS protocol from local subnets"
protocol = "TCP"
port = "443"
v4_cidr_blocks = ["192.168.10.0/24", "192.168.20.0/24"]
}
ingress {
description = "Health checks from NLB"
protocol = "TCP"
predefined_target = "loadbalancer_healthchecks" # [198.18.235.0/24, 198.18.248.0/24]
}
egress {
description = "Permit ANY"
protocol = "ANY"
v4_cidr_blocks = ["0.0.0.0/0"]
}
}
Tools for managing security groups
In Yandex Cloud, you can work with security groups using:
- Management console
- Command line interface (CLI)
- Terraform:
Step-by-step guides for working with security groups
Sample use cases for security groups in Yandex Cloud
Use cases
- Architecture and protection of a basic web service
- Connecting to a cloud network using OpenVPN
- Setting up a UserGate proxy server
- Creating a bastion host
- Configuring a network for Yandex Data Processing
- Implementing a secure high-availability network infrastructure with a dedicated DMZ based on the Check Point NGFW
ClickHouse® is a registered trademark of ClickHouse, Inc.