Discuss with expertTry it for free
© 2026 Direct Cursus Technology L.L.C.

Creating a security group

Written by
Updated at June 15, 2026

Warning

Security groups operate based on the what is not allowed is forbidden principle. If you assign a security group without rules to the network interface of a VM, the VM will not be able to send or receive traffic.

To create a new security group:

  1. In the management console, select the folder where you need to create a security group.
  2. Navigate to Virtual Private Cloud.
  3. In the left-hand panel, select Security groups.
  4. Click Create security group.
  5. Enter a name for the security group.
  6. In the Network field, select the network to assign the security group to.
  7. Under Rules, create traffic management rules:
    1. Select the Egress or Ingress tab.
    2. Click Add.
    3. In the Port range field of the window that opens, specify a single port or a range of ports open for inbound or outbound traffic.
    4. In the Protocol field, specify the appropriate protocol or leave Any to allow traffic transmission over any protocol.
    5. In the Destination name or Source field, select the rule purpose:
      1. CIDR: Rule will apply to the range of IP addresses. In the CIDR blocks field, specify the CIDRs and masks of subnets traffic will move to/from. To add multiple CIDRs, click Add.
      2. Security group: CIDR field alternative. Select:
        • Current: To allow networking between the resources within the current security group.
        • From list: To allow networking with the resources of the selected group.
      3. Load balancer healthchecks.
  8. Click Save. Add other rules, if required.
  9. Click Save.

To create a group with an IPv4 CIDR rule, run this command:

yc vpc security-group create \
  --name test-sg-cli \
  --rule "direction=ingress,port=443,protocol=tcp,v4-cidrs=[10.0.0.0/24]" \
  --network-id c645mh47vscb********

Where:

  • name: Security group name.
  • rule: Rule description:
    • direction: Traffic direction, with ingress for incoming traffic and egress for outgoing traffic.
    • port: Port for receiving or transmitting traffic. You can also specify a range of ports using the from-port and to-port parameters.
    • protocol: Data transfer protocol. The possible values are tcp, udp, icmp, esp, ah, or any.
    • v4-cidrs: List of IPv4 CIDRs and masks of subnets the traffic will come to or from.
    • network-id: ID of the network the security group will be connected to.

To create a group with a rule that allows traffic from all resources of a different security group, run this command:

yc vpc security-group create \
  --name allow-connection-from-app \
  --rule "direction=ingress,port=5642,protocol=tcp,security-group-id=enp099cqehlfvabec36d" \
  --network-name infra2

Where:

  • name: Security group name.
  • rule: Rule description:
    • direction: Traffic direction, with ingress for incoming traffic and egress for outgoing traffic.
    • port: Port for receiving or transmitting traffic. You can also specify a range of ports using the from-port and to-port parameters.
    • protocol: Data transfer protocol. The possible values are tcp, udp, icmp, esp, ah, or any.
    • security-group-id: ID of the security group that is allowed to send traffic to the new security group through port 443.
  • network-name: Name of the network the security group will be connected to.

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

To manage infrastructure using Terraform under a service account or user accounts (a Yandex account, a federated account, or a local user), authenticate using the appropriate method.

To create a security group with multiple rules:

  1. In the configuration file, describe the resources you want to create:

    • name: Security group name.
    • description: Optional description of the security group.
    • network_id: ID of the network to assign the security group to.
    • ingress and egress: Parameters for incoming and outgoing traffic rules:
      • protocol: Traffic transmission protocol. The possible values are tcp, udp, icmp, esp, ah, or any.
      • description: Optional description of the rule.
      • v4_cidr_blocks: List of CIDRs and masks of subnets the traffic will come to or from.
      • port: Traffic port.
      • from-port: First port in the traffic port range.
      • to-port: Last port in the traffic port range.

    Here is an example of the configuration file structure:

    resource "yandex_vpc_security_group" "test-sg" {
  name        = "Test security group"
  description = "Description for security group"
  network_id  = "<network_ID>"

  ingress {
    protocol       = "TCP"
    description    = "Rule description 1"
    v4_cidr_blocks = ["10.0.1.0/24", "10.0.2.0/24"]
    port           = 8080
  }

  ingress {
    protocol          = "ANY"
    description       = "Enables communication between resources in the current security group"
    predefined_target = "self_security_group"
    from_port         = 0
    to_port           = 65535
  }

  ingress {
    protocol           = "TCP"
    description        = "Enables connections on port 27017 from resources in the `sg-frontend` security group"
    security_group_id  = yandex_vpc_security_group.sg-frontend.id
    port               = 27017
  }

  egress {
    protocol       = "ANY"
    description    = "Rule description 2"
    v4_cidr_blocks = ["10.0.1.0/24", "10.0.2.0/24"]
    from_port      = 8090
    to_port        = 8099
  }
}

    For more information about the resources you can create with Terraform, see this provider guide.

  2. Make sure the configuration files are correct.

    1. In the terminal, navigate to the directory where you created your configuration file.
    2. Run a check using this command: 
      terraform plan

    If the configuration is correct, the terminal will display a list of the resources and their settings. Otherwise, Terraform will show any detected errors.

  3. Deploy the cloud resources.

    1. If the configuration is correct, run this command: 
      terraform apply
    2. Confirm creating the resources.

    This will create all the resources you need in the specified folder. You can check the new resources and their settings using the management console.

Use the create REST API method for the SecurityGroup resource or the SecurityGroupService/Create gRPC API call, and provide the following in the request:

  • ID of the folder the security group will reside in, in the folderId parameter.

  • ID of the network the security group will reside in, in the networkId parameter.

  • Settings for the security group rules, in the ruleSpecs[] array:

    • Traffic direction for which the rule is created, in the ruleSpecs[].direction parameter. The possible values are:

      • ingress: Incoming traffic
      • egress: Outgoing traffic

    • Name of the traffic transmission protocol, in the ruleSpecs[].protocolName parameter. The possible values are tcp, udp, icmp, esp, ah, or any.

    • List of CIDRs and masks of subnets the traffic will come to or from, in the ruleSpecs[].cidrBlocks.v4CidrBlocks[] parameter. If you set the rule for the traffic to a security group, provide the security group ID in the ruleSpecs[].securityGroupId parameter instead.

    • First port in the traffic port range, in the ruleSpecs[].ports.fromPort parameter. The values range from 0 to 65535.

    • Last port in the traffic port range, in the ruleSpecs[].ports.toPort parameter. The possible values range from 0 to 65535.

Previous
Deleting a service connection
Next
Changing the name and description