Adding a new rule to a security group
You do not need to restart a VM when adding or deleting rules. The rules are applied to all the resources assigned to a group at the same time.
To add a rule:
-
In the management console
, go to the folder where you need to change the security group. -
In the list of services, select Virtual Private Cloud.
-
In the left-hand panel, select
Security groups. -
Click
next to the security group you need to add a rule to and select Edit. -
Under Rules, create traffic management rules:
-
Select the Egress or Ingress tab.
-
Click Add rule.
-
In the Port range field of the window that opens, specify a single port or a range of ports that traffic will come to or from.
1. In the **Protocol** field, specify the appropriate protocol or leave `Any` to allow traffic transmission over any protocol.
1. In the **Destination name** or **Source** field, select the purpose of the rule:
* `CIDR`: Rule will apply to the range of IP addresses. In the **CIDR blocks** field, specify the CIDR and masks of subnets that traffic will come to or from. To add multiple CIDRs, click **Add CIDR**.
* `Security group`. Select one of the following:
* `Current`: The rule will apply to the VMs from the current group.
* `From list`: The rule will apply to the VMs from the selected group. Make sure that source and destination IPs used for traffic exchange are from [private ranges](../concepts/network.md#subnet). For more information, see [Concepts](../concepts/security-groups.md#groups).
* `Load balancer healthchecks`: A rule that allows checking the health of resources from [Network Load Balancer](../../network-load-balancer/concepts/health-check.md) or [Application Load Balancer](../../application-load-balancer/concepts/backend-group.md#health-checks).
-
Click Save.
-
Click Save once again.
To add a rule to an existing group:
-
Get the name or ID of the group to edit:
yc vpc security-groups list
Result:
+----------------------+---------------------------------+------------------------------------+----------------------+ | ID | NAME | DESCRIPTION | NETWORK-ID | +----------------------+---------------------------------+------------------------------------+----------------------+ | enp9bmjge93b******** | default-sg-enp509crtquf******** | Default security group for network | enp509crtquf******** | | enp9rs9u4h6j******** | sg-1 | | enp509crtquf******** | | enp9d8m73d1c******** | sg-2 | | enp509crtquf******** | +----------------------+---------------------------------+------------------------------------+----------------------+
-
Add a rule using the
update-rules
command and the--add-rule
parameter:yc vpc security-group update-rules <group_name_or_ID> --add-rule "direction=ingress,port=443,protocol=tcp,v4-cidrs=[10.0.0.0/24,10.10.0.0/24]"
Result:
done (12s) id: enp9rs9i4h9j******** folder_id: b1gau98l79li******** created_at: "2022-06-24T15:46:31Z" name: sg-1 network_id: enp559cr9q9f******** status: ACTIVE rules: - id: enp68o6cdi87******** direction: INGRESS ports: from_port: "443" to_port: "443" protocol_name: TCP protocol_number: "6" cidr_blocks: v4_cidr_blocks: - 10.0.0.0/24 - 10.10.0.0/24 ...
Note
You can use
predefined=self_security_group
to apply the rule to the VMs inside the security group being updated.For more information about the
Self
rule, see the types of security group rules.To get help about the
--add-rule
parameter, runyc vpc security-group update-rules --help
.
If you don't have Terraform, install it and configure the Yandex Cloud provider.
Terraform
For more information about the provider resources, see the documentation on the Terraform
If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.
-
Open the Terraform configuration file and add the
ingress
oregress
section to the security group description:... resource "yandex_vpc_security_group" "test-sg" { name = "Test security group" description = "Description for security group" network_id = "${yandex_vpc_network.lab-net.id}" ingress { protocol = "TCP" description = "Rule description 1" v4_cidr_blocks = ["10.0.1.0/24", "10.0.2.0/24"] port = 8080 } egress { protocol = "ANY" description = "Rule description 2" v4_cidr_blocks = ["10.0.1.0/24", "10.0.2.0/24"] from_port = 8090 to_port = 8099 } egress { protocol = "UDP" description = "rule3 description" v4_cidr_blocks = ["10.0.1.0/24"] from_port = 8090 to_port = 8099 } } ...
For more information about the
yandex_vpc_security_group
resource in Terraform, see the provider documentation . -
Check the configuration using this command:
terraform validate
If the configuration is correct, you will get this message:
Success! The configuration is valid.
-
Run this command:
terraform plan
The terminal will display a list of resources with parameters. No changes will be made at this step. If the configuration contains any errors, Terraform will point them out.
-
Apply the configuration changes:
terraform apply
-
Confirm the changes: type
yes
into the terminal and press Enter.You can verify the changes to the security group using the management console
or the CLI command below:yc vpc security-group get <security_group_name>
Adding a new rule using the yandex_vpc_security_group_rule resource
You can also add a new rule to an existing security group using the yandex_vpc_security_group_rule
resource.
Warning
The two methods do the same but are incompatible: concurrent use of the yandex_vpc_security_group_rule
and yandex_vpc_security_group
resources will cause a configuration rule conflict.
-
In the configuration file, describe the following parameters:
security_group_binding
: Security group ID.direction
: Incoming or outgoing traffic. The possible values areingress
oregress
.description
: Description of the rule.v4_cidr_blocks
: List of CIDRs and masks of subnets to deal with outgoing and incoming traffic.port
: Port for traffic.from_port
: First port in the traffic ports range.to_port
: Last port in the traffic ports range.protocol
: Traffic transfer protocol. The possible values areTCP
,UDP
,ICMP
, orANY
.
... resource "yandex_vpc_security_group_rule" "rule1" { security_group_binding = <security_group_ID> direction = "ingress" description = "<rule_description>" v4_cidr_blocks = ["10.0.1.0/24", "10.0.2.0/24"] port = 8080 protocol = "TCP" } resource "yandex_vpc_security_group_rule" "rule2" { security_group_binding = yandex_vpc_security_group.group1.id direction = "egress" description = "rule2 description" v4_cidr_blocks = ["10.0.1.0/24"] from_port = 8090 to_port = 8099 protocol = "UDP" } ...
For more information about the parameters of the
yandex_vpc_security_group_rule
resource in Terraform, see the provider documentation . -
Check the configuration using this command:
terraform validate
If the configuration is correct, you will get this message:
Success! The configuration is valid.
-
Run this command:
terraform plan
The terminal will display a list of resources with parameters. No changes will be made at this step. If the configuration contains any errors, Terraform will point them out.
-
Apply the configuration changes:
terraform apply
-
Confirm the changes: type
yes
into the terminal and press Enter.You can verify the changes to the security group using the management console
or the CLI command below:yc vpc security-group get <security_group_name>
To add a rule, use the updateRules REST API method for the SecurityGroup resource or the SecurityGroupService/UpdateRules gRPC API call, and provide the following in the request:
-
ID of the security group you want to add rules to, in the
securityGroupId
parameter.To get the security group ID, use the list REST API method for the SecurityGroup resource or the SecurityGroup/List gRPC API call and provide the folder ID in the
folderId
request parameter.To learn how to find out the folder ID, see Getting the folder ID.
-
New security group rules, in the
additionRuleSpecs[]
array.-
Traffic direction for which the rule is created, in the
additionRuleSpecs[].direction
parameter. The possible values are:ingress
: Incoming trafficegress
: Outgoing traffic
-
Name of the traffic transmission protocol, in the
additionRuleSpecs[].protocolName
parameter. The possible values aretcp
,udp
,icmp
,esp
,ah
, orany
. -
List of CIDRs and masks of subnets to deal with outgoing and incoming traffic, in the
additionRuleSpecs[].cidrBlocks.v4CidrBlocks[]
parameter. If the rule is configured for transmitting traffic to a security group, provide the security group ID in theadditionRuleSpecs[].securityGroupId
parameter instead. -
First port in the traffic ports range, in the
additionRuleSpecs[].ports.fromPort
parameter. The possible values are from0
to65535
. -
Last port in the traffic ports range, in the
additionRuleSpecs[].ports.toPort
parameter. The possible values are from0
to65535
.
-