Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Creating a security group

Written by
Updated at January 22, 2025

Warning

Security groups operate on the principle of "what is not allowed is forbidden". If you assign a security group without rules to the network interface of a VM, the VM won't be able to transmit or receive traffic.

To create a new security group:

  1. In the management console, go to the folder where you need to create a security group.
  2. In the services list, select Virtual Private Cloud.
  3. In the left-hand panel, select Security groups.
  4. Click Create security group.
  5. Enter a name for the security group.
  6. In the Network field, select the network to assign the security group to.
  7. Under Rules, create traffic management rules:
    1. Select the Egress tab for an outbound rule or Ingress tab for an inbound rule.
    2. Click Add rule.
    3. In the Port range field of the window that opens, specify a single port or a range of ports that will be open for inbound or outbound traffic.
    4. In the Protocol field, specify the required protocol or specify Any to allow traffic over any protocol.
    5. In the Destination name or Source field, select the purpose of the rule:
      1. CIDR: Rule will apply to the range of IP addresses. In the CIDR blocks field, specify the CIDR and masks of subnets that traffic will come to or from. To add multiple CIDRs, click Add CIDR.
      2. Security group: CIDR field alternative. Select:
        • Current: To allow networking between the resources within the current security group.
        • From list: To allow networking with the resources of the selected group.
      3. Load balancer healthchecks.
  8. Click Save. Add other rules, if required.
  9. Click Save.

To create a group with an IPv4 CIDR rule, run the command:

yc vpc security-group create \
  --name test-sg-cli \
  --rule "direction=ingress,port=443,protocol=tcp,v4-cidrs=[10.0.0.0/24]" \
  --network-id c645mh47vscb********

Where:

  • name: Security group name.
  • rule: Rule description:
    • direction: Traffic direction, with ingress for incoming traffic and egress for outgoing traffic.
    • port: Port for receiving or transmitting traffic. You can also specify a range of ports using the from-port and to-port parameters.
    • protocol: Data transfer protocol. Possible values: tcp, udp, icmp, esp, ah, or any.
    • v4-cidrs: List of IPv4 CIDRs and masks of subnets to deal with outgoing and incoming traffic.
    • network-id: ID of the network the security group will be connected to.

To create a group with a rule that allows traffic from all resources of a different security group, run this command:

yc vpc security-group create \
  --name allow-connection-from-app \
  --rule "direction=ingress,port=5642,protocol=tcp,security-group-id=enp099cqehlfvabec36d" \
  --network-name infra2

Where:

  • name: Security group name.
  • rule: Rule description:
    • direction: Traffic direction, with ingress for incoming traffic and egress for outgoing traffic.
    • port: Port for receiving or transmitting traffic. You can also specify a range of ports using the from-port and to-port parameters.
    • protocol: Data transfer protocol. Possible values: tcp, udp, icmp, esp, ah, or any.
    • security-group-id: ID of the security group that is allowed to send traffic to the new security group through port 443.
  • network-name: Name of the network the security group will be connected to.

If you don't have Terraform, install it and configure the Yandex Cloud provider.

To create a security group with multiple rules:

  1. In the configuration file, define the parameters of the resources you want to create:

    • name: Security group name.
    • description: Optional description of the security group.
    • network_id: ID of the network to assign the security group to.
    • ingress and egress: Rule parameters for incoming and outgoing traffic:
      • protocol: Traffic transfer protocol. Possible values: tcp, udp, icmp, esp, ah, or any.
      • description: Optional description of the rule.
      • v4_cidr_blocks: List of CIDRs and masks of subnets to deal with outgoing and incoming traffic.
      • port: Port for traffic.
      • from-port: First port in the traffic port range.
      • to-port: Last port in the traffic port range.

    Here is an example of the configuration file structure:

    provider "yandex" {
  token     = "<OAuth_or_static_key_of_service_account>"
  folder_id = "<folder_ID>"
  zone      = "ru-central1-a"
}

resource "yandex_vpc_security_group" "test-sg" {
  name        = "Test security group"
  description = "Description for security group"
  network_id  = "<network_ID>"

  ingress {
    protocol       = "TCP"
    description    = "Rule description 1"
    v4_cidr_blocks = ["10.0.1.0/24", "10.0.2.0/24"]
    port           = 8080
  }

  ingress {
    protocol          = "ANY"
    description       = "Enables communication between resources in the current security group"
    predefined_target = "self_security_group"
    from_port         = 0
    to_port           = 65535
  }

  ingress {
    protocol           = "TCP"
    description        = "Enables connections on port 27017 from resources in the `sg-frontend` security group"
    security_group_id  = yandex_vpc_security_group.sg-frontend.id
    port               = 27017
  }

  egress {
    protocol       = "ANY"
    description    = "Rule description 2"
    v4_cidr_blocks = ["10.0.1.0/24", "10.0.2.0/24"]
    from_port      = 8090
    to_port        = 8099
  }
}

    For more information about the resources you can create with Terraform, see the relevant provider documentation.

  2. Make sure the configuration files are correct.

    1. In the command line, go to the folder where you created the configuration file.
    2. Run a check using this command: 
      terraform plan

    If the configuration is correct, the terminal will display a list of resources to create and their parameters. If the configuration contains any errors, Terraform will point them out.

  3. Deploy cloud resources.

    1. If the configuration does not contain any errors, run this command: 
      terraform apply
    2. Confirm creating the resources.

    All the resources you need will then be created in the specified folder. You can check the new resources and their settings using the management console.

Use the create REST API method for the SecurityGroup resource or the SecurityGroupService/Create gRPC API call, and provide the following in the request:

  • ID of the folder the security group will reside in, in the folderId parameter.

  • ID of the network the security group will reside in, in the networkId parameter.

  • Settings for the security group rules, in the ruleSpecs[] array:

    • Traffic direction for which the rule is created, in the ruleSpecs[].direction parameter. The possible values are:

      • ingress: Incoming traffic
      • egress: Outgoing traffic

    • Name of the traffic transmission protocol, in the ruleSpecs[].protocolName parameter. Possible values: tcp, udp, icmp, esp, ah, or any.

    • List of CIDRs and masks of subnets to deal with outgoing and incoming traffic, in the ruleSpecs[].cidrBlocks.v4CidrBlocks[] parameter. If the rule is configured for transmitting traffic to a security group, provide the security group ID in the ruleSpecs[].securityGroupId parameter instead.

    • First port in the traffic port range, in the ruleSpecs[].ports.fromPort parameter. The values range from 0 to 65535.

    • Last port in the traffic port range, in the ruleSpecs[].ports.toPort parameter. The values range from 0 to 65535.

Previous
Deleting a service connection
Next
Changing the name and description