How to use security groups
Security groups act as firewalls, filtering traffic on your Instances. They can be stateful or stateless, and allow you to create rules to drop or allow traffic to and from your Instance. On this page, we show you how to create, edit and configure a security group via the Scaleway console.
You may need certain IAM permissions to carry out some actions described on this page. This means:
- Click Instances (A) in the Compute section of the side menu. The Instances dashboard displays.
- Click the Security groups tab (B). The Security groups dashboard displays.
You will see that at least one Default security group already exists in your account. A default security group is auto-generated for each Availability Zone you have created Instances in. All your Instances within that Availability Zone are automatically added to that default security group unless you specify a different configuration.
- Click «Plus Icon» (C) to launch the security group creation wizard.
- Complete the following steps in the wizard:
- Choose a Name and description for your security group, or leave the name at the randomly generated default suggestion.
- Choose an Availability Zone, which is the geographical location in which your security group will be created. Only Instances from the same Availability Zone can be added to this security group.
- Define the inbound and outbound Rules which will be applied to your security group, including whether you wish to enable SMTP ports. See How to choose security group settings for more information.
- Select the Instances you wish to add to the security group.
- Click Create security group to finish. Your security group is created, and you are redirected to the Security groups tab where it now appears.
Click Instances in the Compute section of the side menu. The Instances dashboard displays.
Click the Security groups tab. The Security groups dashboard displays.
Click the security group you want to edit. Alternatively, click the «See more Icon» icon to the right of the security group in question, and select More info. Either way, you are taken to the dashboard for that security group.
Navigate to the required tab depending on the edit you want to make:
On the Overview tab, you can:
- set/unset this security group as the project default (A)
- enable/disable SMTP for outgoing emails (B)
- enable/disable stateful group rules (C)
- delete the security group (D)
On the Instances tab, you can:
- link Instances to this security group, using the drop-down menu (A)
- unlink Instances from the security group, using the «Unlink Icon» button (B)
On the Rules tab, you can:
- set default inbound and outbound policies, by clicking «Edit Icon» (A) and then choosing drop or accept for inbound and outbound traffic.
- create, edit or delete rules to drop or incoming traffic from defined sources:
- click «Edit Icon» (B)
- click the Add inbound rule or Add outbound rule buttons that appear
- create your rule and click «Validate Icon» when you have finished confirming the new rule.
See How to choose security group settings for more information on these choices.
Security groups rules are applied to public Internet connections only. The security group rules do not apply to Private Network connections.
By default, SMTP ports are blocked for security reasons to prevent email spam. This means that you cannot send outgoing emails from the Instance. We recommend leaving this default setting unless you specifically need to send emails from your Instance.
To enable or disable SMTP for a security group, follow the instructions for how to edit a security group and check the relevant box in the Overview tab at step 4.
By default, security groups that you create are stateful. To disable or re-enable stateful groups, follow the instructions for how to edit a security group and check the relevant box in the Overview tab at step 4. Note that default security groups cannot be stateful.
- Stateless security groups strictly apply the default policy and inbound/outbound rules, regardless of whether a connection is initiated from your Instance or not. Read more about stateless security groups
- Stateful security groups disregard the default policy and inbound/outbound rules if a connection is initiated from your Instance. Read more about stateful security groups
You can set default policies to drop or accept all inbound traffic, and drop or accept all outbound traffic. We recommend blocking incoming traffic by default to prevent intrusions. To change your default inbound and outbound policies, follow the instructions for how to edit a security group, checking the relevant boxes in the Rules tab at step 4.
You can create customized inbound and outbound rules to drop or accept traffic on particular protocols, ports, and IP ranges. To do so, follow the instructions for how to edit a security group, clicking the edit icon in the Rules tab at step 4.
For each rule, choose the following options:
- Rule: The value can either be Drop to drop connections that match the rule or Accept to accept these connections.
- Protocol: This field specifies the protocol on which the rule applies. The value can either be TCP, UDP or ICMP.
- Port: This field specifies the port on which the rule applies. If the All Ports box is checked, the rule applies to all ports.
- IP Range: The IP range in CIDR notation on which the rule applies.