Knowledge Base


« Compute

Security Groups

Your CloudVPS Compute instances are protected by an external firewall.  By default, this firewall does not allow any incoming traffic through. Security groups make it possible to allow specific traffic to and from your cloud server. In order to access your instance, you must assign one or more security groups to the instance.

Allowing specific types of traffic

A security group is a set of rules that allows traffic to or from your instances for one or more purposes.  For instance, a security group can allow all HTTP traffic to your server, or only allow SSH access.

Allowing access from specific locations

Security groups can also be used regulate what other cloud servers or IP addresses the members of a security group can connect with. There are different possibilities:

  • No restrictions.
  • A specific IP (for example a Jumphost or Monitoring service) or an IP range.
  • Another Security Group (the Database Servers security group can allow communication from the Application Server security group for example).
  • Cloud servers located in the same security group.
Predefined Security Groups

When launching an cloud server through the new server wizard you need to specify the security groups for the server. You can choose to use the default security group and then customise it after the server is launched, or you can create your own security group.

 

Group Name Outgoing Traffic Incoming Traffic
All built-in-allow-all All All
Web  built-in-allow-web All Only ports 80 and 443
ICMP built-in-allow-icmp All Only ports 0, 3 and 8
Remote Access built-in-remote-access All Only ports 22, 3389, 5900 and 6010
CloudVPS built-in-provider-access All Only ports 22, 3389, 161 from the CloudVPS jumphost
Default default All Traffic from servers in same account.

A server always needs to have at least one security group. If you only want to specify one security group we recommend the default security security group for clusted solutions, in that case you can still reach the relevant cloud server from your other instances. If you create a cloud server via the API and you do not specify a security group then the default-security-group will be automatically added.

Custom Security Groups (Recommended)

You can create your own security groups and specify them when you launch your cloud servers. We recommend you to group all servers with the same role in the same security group. So you could create a 'Database Server' security group and a 'Application Server' security group.

Things to consider
  • A security group's name or description cannot be changed.
  • Each server has to be assigned to at least one security group. A server can have multiple security groups assigned.
  • IP-address-based permissions apply to both private and public IP addresses.
  • Although servers in the same security group can communicate with each other over private or public IP addresses, connections should be made using private IP addresses when possible.
  • Changing or deleting security group rules will not terminate established TCP connections.
Access Permissions

Security groups use CIDR-based notation, illustrated in the diagram below, to grant access permissions to servers. For CIDR-based rules, you can also specify the protocol and port range.


Most Restrictive 0.0.0.0/32 No access
... 89.31.101.75/32 Allow access for a single IP address
... 89.31.101.0/24 First 3 sets must match to allow access
... 89.31.0.0/16 First 2 sets must match to allow access
... 89.0.0.0/8 First set must match to allow access
Least restrictive 0.0.0.0/0 Allow access for everyone
Creating a Security Group

1. Log in to https://stack.cloudvps.com
2. In the navigation pane under Compute > Advanced, click Security Groups.
3. Click New Group.
4. Specify a name and description for the security group. Select or deselect any of the default ports provided and click Create Group.

You can assign a security group to a server when you launch the server or by adding the security group at the server details page. When you add or remove rules, those changes are automatically applied to all instances to which you've assigned the security group.

Adding Rules to a Security Group

1. Log in to https://stack.cloudvps.com
2. In the navigation pane under Compute > Advanced, click Security Groups.
3. Select the Security Group.
4. At the details page of the Security Group click on the new rule button to add a rule.

5. Specify the type (ipv4 or ipv6) and direction (ingress or egress).
6. Choose the source (any, from group or net).
7. Choose the protocol (any, ICMP, TCP or UDP).
8. In case when TCP or UDP protocol is chosen provide the required port or port-range.

Deleting Rules from a Security Group

1. Log in to https://stack.cloudvps.com
2. In the navigation pane under Compute > Advanced, click Security Groups.
3. Select the Security Group.
4. At the details page of the Security Group find the rule you would like to remove.
5. Click on the delete button indicated by the cross icon to delete the specific rule.

VPS Bestellen
VPS Bestellen