NavigationContentFooter
Jump toSuggest an edit

How to use security groups

Reviewed on 21 February 2024Published on 26 May 2021

Security groups act as firewalls, filtering traffic on your Instances. They can be stateful or stateless, and allow you to create rules to drop or allow traffic to and from your Instance. On this page, we show you how to create, edit, and configure a security group via the Scaleway console.

Before you start

To complete the actions presented on this page, you must have:

  • A Scaleway account logged into the console
  • Owner status or IAM permissions allowing you to perform actions in the intended Organization
  • An Instance

How to create a security group

  1. Click Instances in the Compute section of the side menu. The Instances page displays.
  2. Click the Security groups tab. The Security groups dashboard displays.
    Note

    You will see that at least one Default security group already exists in your account. A default security group is auto-generated for each Availability Zone you have created Instances in. All your Instances within that Availability Zone are automatically added to that default security group unless you specify a different configuration.

  3. Click + Create security group to launch the security group creation wizard.
  4. Complete the following steps:
    • Choose a Name for your security group or keep the randomly generated suggestion. Optionally, add a description.
    • Choose an Availability Zone, which is the geographical location in which your security group will be created. Only Instances from the same Availability Zone can be added to this security group.
    • Define the inbound and outbound Rules that will be applied to your security group, including whether you wish to enable SMTP ports. Learn how to choose security group settings.
    • Select the Instances you wish to add to the security group.
  5. Click Create security group to finish. Your security group is created, and you are redirected to the Security groups tab, where it now appears.

How to edit a security group

  1. Click Instances in the Compute section of the side menu. The Instances page displays.

  2. Click the Security groups tab. The Security groups dashboard displays.

  3. Click the security group you want to edit. Alternatively, click the «See more Icon» icon to the right of the security group in question, and select More info. You are taken to the dashboard for that security group.

  4. Navigate to the required tab depending on the edit you want to make:

    On the Overview tab, you can:

    • Set/unset this security group as the project default,
    • Enable/disable SMTP for outgoing emails,
    • Enable/disable stateful group rules,
    • Delete the security group.

    On the Instances tab, you can:

    • Link Instances to this security group, using the drop-down menu,
    • Unlink Instances from the security group, using the «Unlink Icon» button.

    On the Rules tab, you can:

    • Set default inbound and outbound policies, by clicking «Edit Icon» and choosing drop or accept for inbound and outbound traffic.
    • Create, edit, or delete rules to drop or incoming traffic from defined sources:
      • Click «Edit Icon»,
      • Click the Add inbound rule or Add outbound rule buttons that appear,
      • Create your rule and click «Validate Icon» when you have finished confirming the new rule.

    See How to choose security group settings for more information on these choices.

Note

Security group rules are applied to public internet connections only. The security group rules do not apply to Private Network connections.

How to choose security group settings

Enabling SMTP

By default, SMTP ports are blocked for security reasons to prevent email spam. This means that you cannot send outgoing emails from the Instance. We recommend leaving this default setting unless you specifically need to send emails from your Instance.

To enable or disable SMTP for a security group, follow the instructions for how to edit a security group and check the relevant box in the Overview tab at step 4.

Enabling stateful group

By default, security groups that you create are stateful. To disable or re-enable stateful groups, follow the instructions for how to edit a security group and check the relevant box in the Overview tab at step 4. Note that default security groups cannot be stateful.

  • Stateless security groups strictly apply the default policy and inbound/outbound rules, regardless of whether a connection is initiated from your Instance or not. Read more about stateless security groups
  • Stateful security groups disregard the default policy and inbound/outbound rules if a connection is initiated from your Instance. Read more about stateful security groups

Setting default inbound and outbound policies

You can set default policies to drop or accept all inbound traffic, and drop or accept all outbound traffic. We recommend blocking incoming traffic by default to prevent intrusions. To change your default inbound and outbound policies, follow the instructions for how to edit a security group, checking the relevant boxes in the Rules tab at step 4.

Creating inbound and outbound rules

You can create customized inbound and outbound rules to drop or accept traffic on particular protocols, ports, and IP ranges. To do so, follow the instructions for how to edit a security group, by clicking the edit icon in the Rules tab in step 4.

For each rule, choose the following options:

  • Rule: The value can either be Drop to drop connections that match the rule or Accept to accept these connections.
  • Protocol: This field specifies the protocol on which the rule applies. The value can either be TCP, UDP, or ICMP.
  • Port: This field specifies the port on which the rule applies. If the All Ports box is checked, the rule applies to all ports.
  • IP Range: The IP range in CIDR notation on which the rule applies.
See also
How to move an Instance to routed flexible IPsHow to use Private Networks
Cloud Products & Resources
  • Scaleway Console
  • Compute
  • Storage
  • Network
  • IoT
  • AI
Dedicated Products & Resources
  • Dedibox Console
  • Dedibox Servers
  • Network
  • Web Hosting
Scaleway
  • Scaleway.com
  • Blog
  • Careers
  • Scaleway Learning
Follow us
FacebookTwitterSlackInstagramLinkedin
ContractsLegal NoticePrivacy PolicyCookie PolicyDocumentation license
© 1999-2024 – Scaleway SAS