Contact UsGet started
© 2024 Iron Hive LLC Belgrade

Creating a security group

Written by
Updated at October 17, 2024

Warning

Security groups operate on the principle of "what is not allowed is forbidden". If you assign a security group without rules to the network interface of a VM, the VM won't be able to transmit or receive traffic.

To create a new security group:

  1. In the management console, go to the folder where you need to create a security group.
  2. In the list of services, select Virtual Private Cloud.
  3. In the left-hand panel, select Security groups.
  4. Click Create security group.
  5. Enter a name for the security group.
  6. In the Network field, select the network to assign the security group to.
  7. Under Rules, create traffic management rules:
    1. Select the Egress or Ingress tab.
    2. Click Add rule.
    3. In the Port range field of the window that opens, specify a single port or a range of ports that traffic will come to or from.
    4. In the Protocol field, specify the appropriate protocol or leave Any to allow traffic transmission over any protocol.
    5. In the Destination name or Source field, select the purpose of the rule:
      1. CIDR: Rule will apply to the range of IP addresses. In the CIDR blocks field, specify the CIDR and masks of subnets that traffic will come to or from. To add multiple CIDRs, click Add CIDR.
      2. Security group: CIDR field alternative. Select:
        • Current: To allow networking between the resources within the current security group.
        • From list: To allow networking with the resources of the selected group.
      3. Load balancer healthchecks​.
  8. Click Save. Add other rules, if required.
  9. Click Save.

To create a group with an IPv4 CIDR rule, run the command:

yc vpc security-group create \
  --name test-sg-cli \
  --rule "direction=ingress,port=443,protocol=tcp,v4-cidrs=[10.0.0.0/24]" \
  --network-id c645mh47vscb********

Where:

  • name: Security group name.
  • rule: Rule description:
    • direction: Traffic direction. ingress: Incoming traffic; egress: Outgoing traffic.
    • port: Port for receiving or transmitting traffic. You can also specify a range of ports using the from-port and to-port parameters.
    • protocol: Data transfer protocol. The possible values are tcp, udp, icmp, esp, ah, or any.
    • v4-cidrs: List of IPv4 CIDRs and masks of subnets to deal with outgoing and incoming traffic.
    • network-id: ID of the network the security group will be connected to.

To create a group with a rule that allows traffic from all resources of a different security group, run this command:

yc vpc security-group create \
  --name allow-connection-from-app \
  --rule "direction=ingress,port=5642,protocol=tcp,security-group-id=enp099cqehlfvabec36d" \
  --network-name infra2

Where:

  • name: Security group name.
  • rule: Rule description:
    • direction: Traffic direction. ingress: Incoming traffic; egress: Outgoing traffic.
    • port: Port for receiving or transmitting traffic. You can also specify a range of ports using the from-port and to-port parameters.
    • protocol: Data transfer protocol. The possible values are tcp, udp, icmp, esp, ah, or any.
    • security-group-id: ID of the security group for which traffic is allowed to the new security group through port 443.
  • network-name: Name of the network the security group will be connected to.

If you don't have Terraform, install it and configure the Yandex Cloud provider.

To create a security group with multiple rules:

  1. In the configuration file, describe the parameters of the resources you want to create:

    • name: Security group name.
    • description: Optional description of the security group.
    • network_id: ID of the network that the security group will be assigned to.
    • ingress and egress: Rule parameters for incoming and outgoing traffic:
      • protocol: Traffic transfer protocol. The possible values are tcp, udp, icmp, esp, ah, or any.
      • description: Optional description of the rule.
      • v4_cidr_blocks: List of CIDRs and masks of subnets to deal with outgoing and incoming traffic.
      • port: Port for traffic.
      • from-port: First port in the traffic ports range.
      • to-port: Last port in the traffic ports range.

    Here is an example of the configuration file structure:

    provider "yandex" {
  token     = "<OAuth_or_service_account_static_key>"
  folder_id = "<folder_ID>"
  zone      = "ru-central1-a"
}

resource "yandex_vpc_security_group" "test-sg" {
  name        = "Test security group"
  description = "Description for security group"
  network_id  = "<network_ID>"

  ingress {
    protocol       = "TCP"
    description    = "Rule description 1"
    v4_cidr_blocks = ["10.0.1.0/24", "10.0.2.0/24"]
    port           = 8080
  }

  ingress {
    protocol          = "ANY"
    description       = "Allows networking between resources within the current security group"
    predefined_target = "self_security_group"
    from_port         = 0
    to_port           = 65535
  }

  ingress {
    protocol           = "TCP"
    description        = "Allows connections for the sg-frontend security group resources over port 27017"
    security_group_id  = yandex_vpc_security_group.sg-frontend.id
    port               = 27017
  }

  egress {
    protocol       = "ANY"
    description    = "Rule description 2"
    v4_cidr_blocks = ["10.0.1.0/24", "10.0.2.0/24"]
    from_port      = 8090
    to_port        = 8099
  }
}

    For more information about resources you can create with Terraform, see the provider documentation.

  2. Make sure the configuration files are correct.

    1. In the command line, go to the folder where you created the configuration file.
    2. Run a check using this command: 
      terraform plan

    If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.

  3. Deploy cloud resources.

    1. If the configuration does not contain any errors, run this command: 
      terraform apply
    2. Confirm that you want to create the resources.

    All the resources you need will then be created in the specified folder. You can check the new resources and their configuration using the management console.

Use the create REST API method for the SecurityGroup resource or the SecurityGroupService/Create gRPC API call, and provide the following in the request:

  • ID of the folder where the security group will be placed, in the folderId parameter.

  • ID of the network where the security group will be placed, in the networkId parameter.

  • Settings for the security group rules, in the ruleSpecs[] array.

    • Traffic direction for which the rule is created, in the ruleSpecs[].direction parameter. The possible values are:

      • ingress: Incoming traffic
      • egress: Outgoing traffic

    • Name of the traffic transmission protocol, in the ruleSpecs[].protocolName parameter. The possible values are tcp, udp, icmp, esp, ah, or any.

    • List of CIDRs and masks of subnets to deal with outgoing and incoming traffic, in the ruleSpecs[].cidrBlocks.v4CidrBlocks[] parameter. If the rule is configured for transmitting traffic to a security group, then transmit the security group ID in the ruleSpecs[].securityGroupId parameter instead.

    • First port in the traffic ports range, in the ruleSpecs[].ports.fromPort parameter. The possible values are from 0 to 65535.

    • Last port in the traffic ports range, in the ruleSpecs[].ports.toPort parameter. The possible values are from 0 to 65535.

Previous
Deleting a service connection
Next
Changing the name and description