Creating a security group
Warning
Security groups operate on the principle of "what is not allowed is forbidden". If you assign a security group without rules to the network interface of a VM, the VM won't be able to transmit or receive traffic.
To create a new security group:
- In the management console
, go to the folder where you need to create a security group. - In the list of services, select Virtual Private Cloud.
- In the left-hand panel, select
Security groups. - Click Create security group.
- Enter a name for the security group.
- In the Network field, select the network to assign the security group to.
- Under Rules, create traffic management rules:
- Select the Egress or Ingress tab.
- Click Add rule.
- In the Port range field of the window that opens, specify a single port or a range of ports that traffic will come to or from.
- In the Protocol field, specify the appropriate protocol or leave
Any
to allow traffic transmission over any protocol. - In the Destination name or Source field, select the purpose of the rule:
CIDR
: Rule will apply to the range of IP addresses. In the CIDR blocks field, specify the CIDR and masks of subnets that traffic will come to or from. To add multiple CIDRs, click Add CIDR.Security group
:CIDR
field alternative. Select:Current
: To allow networking between the resources within the current security group.From list
: To allow networking with the resources of the selected group.
Load balancer healthchecks
.
- Click Save. Add other rules, if required.
- Click Save.
To create a group with an IPv4 CIDR rule, run the command:
yc vpc security-group create \
--name test-sg-cli \
--rule "direction=ingress,port=443,protocol=tcp,v4-cidrs=[10.0.0.0/24]" \
--network-id c645mh47vscb********
Where:
name
: Security group name.rule
: Rule description:direction
: Traffic direction.ingress
: Incoming traffic;egress
: Outgoing traffic.port
: Port for receiving or transmitting traffic. You can also specify a range of ports using thefrom-port
andto-port
parameters.protocol
: Data transfer protocol. The possible values aretcp
,udp
,icmp
,esp
,ah
, orany
.v4-cidrs
: List of IPv4 CIDRs and masks of subnets to deal with outgoing and incoming traffic.network-id
: ID of the network the security group will be connected to.
To create a group with a rule that allows traffic from all resources of a different security group, run this command:
yc vpc security-group create \
--name allow-connection-from-app \
--rule "direction=ingress,port=5642,protocol=tcp,security-group-id=enp099cqehlfvabec36d" \
--network-name infra2
Where:
name
: Security group name.rule
: Rule description:direction
: Traffic direction.ingress
: Incoming traffic;egress
: Outgoing traffic.port
: Port for receiving or transmitting traffic. You can also specify a range of ports using thefrom-port
andto-port
parameters.protocol
: Data transfer protocol. The possible values aretcp
,udp
,icmp
,esp
,ah
, orany
.security-group-id
: ID of the security group for which traffic is allowed to the new security group through port 443.
network-name
: Name of the network the security group will be connected to.
If you don't have Terraform, install it and configure the Yandex Cloud provider.
To create a security group with multiple rules:
-
In the configuration file, describe the parameters of the resources you want to create:
name
: Security group name.description
: Optional description of the security group.network_id
: ID of the network that the security group will be assigned to.ingress
andegress
: Rule parameters for incoming and outgoing traffic:protocol
: Traffic transfer protocol. The possible values aretcp
,udp
,icmp
,esp
,ah
, orany
.description
: Optional description of the rule.v4_cidr_blocks
: List of CIDRs and masks of subnets to deal with outgoing and incoming traffic.port
: Port for traffic.from-port
: First port in the traffic ports range.to-port
: Last port in the traffic ports range.
Here is an example of the configuration file structure:
provider "yandex" { token = "<OAuth_or_service_account_static_key>" folder_id = "<folder_ID>" zone = "ru-central1-a" } resource "yandex_vpc_security_group" "test-sg" { name = "Test security group" description = "Description for security group" network_id = "<network_ID>" ingress { protocol = "TCP" description = "Rule description 1" v4_cidr_blocks = ["10.0.1.0/24", "10.0.2.0/24"] port = 8080 } ingress { protocol = "ANY" description = "Allows networking between resources within the current security group" predefined_target = "self_security_group" from_port = 0 to_port = 65535 } ingress { protocol = "TCP" description = "Allows connections for the sg-frontend security group resources over port 27017" security_group_id = yandex_vpc_security_group.sg-frontend.id port = 27017 } egress { protocol = "ANY" description = "Rule description 2" v4_cidr_blocks = ["10.0.1.0/24", "10.0.2.0/24"] from_port = 8090 to_port = 8099 } }
For more information about resources you can create with Terraform, see the provider documentation
. -
Make sure the configuration files are correct.
- In the command line, go to the folder where you created the configuration file.
- Run a check using this command:
terraform plan
If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.
-
Deploy cloud resources.
- If the configuration does not contain any errors, run this command:
terraform apply
- Confirm that you want to create the resources.
All the resources you need will then be created in the specified folder. You can check the new resources and their configuration using the management console
. - If the configuration does not contain any errors, run this command:
Use the create REST API method for the SecurityGroup resource or the SecurityGroupService/Create gRPC API call, and provide the following in the request:
-
ID of the folder where the security group will be placed, in the
folderId
parameter. -
ID of the network where the security group will be placed, in the
networkId
parameter. -
Settings for the security group rules, in the
ruleSpecs[]
array.-
Traffic direction for which the rule is created, in the
ruleSpecs[].direction
parameter. The possible values are:ingress
: Incoming trafficegress
: Outgoing traffic
-
Name of the traffic transmission protocol, in the
ruleSpecs[].protocolName
parameter. The possible values aretcp
,udp
,icmp
,esp
,ah
, orany
. -
List of CIDRs and masks of subnets to deal with outgoing and incoming traffic, in the
ruleSpecs[].cidrBlocks.v4CidrBlocks[]
parameter. If the rule is configured for transmitting traffic to a security group, then transmit the security group ID in theruleSpecs[].securityGroupId
parameter instead. -
First port in the traffic ports range, in the
ruleSpecs[].ports.fromPort
parameter. The possible values are from0
to65535
. -
Last port in the traffic ports range, in the
ruleSpecs[].ports.toPort
parameter. The possible values are from0
to65535
.
-