Create and Manage Security Groups

Security groups in OpenStack are sets of IP filter rules that define networking access to instances. Each security group acts as a virtual firewall to control the traffic for one or more instances. This guide will help you create, manage, and delete security groups and their rules using the Horizon Dashboard and the OpenStack CLI.

Create a Security Group

Horizon DashboardOpenStack CLI

• Navigate to Project > Network > Security Groups and click Create Security Group.

• In the popup window that appears provide a Name and an optional Description for the security group, and click Create Security Group to create the group.

• The newly created security group will appear in the list. By default, it will have the outbound rules set for 0.0.0.0/0 (IPv4) and ::/0 (IPv6).

Important

Notice the default security group already exists. Don't delete this security group. It allows all outbound traffic for all protocols to any destination (both IPv4 and IPv6), while inbound traffic is only allowed between instances that are part of the same default security group, for both IPv4 and IPv6, across all protocols and ports. Therefore, if left intact it enables traffic between instances in the same project. It is good practice use the default security group for baseline rules that should apply to all instances, and create additional security groups for more specific rules as needed.

openstack security group create <security_group_name> --description <description>

Outbound Rules

Horizon DashboardOpenStack CLI

Outbound rules control the traffic that is allowed to leave instances within a security group. By default, each security group allows all outbound traffic (0.0.0.0/0 for IPv4 and ::/0 for IPv6). However, you can restrict outbound traffic to specific IP addresses and ports if required.

Important

In most scenarios, the default outbound rule (allowing all traffic to 0.0.0.0/0 for IPv4 and ::/0 for IPv6) is sufficient. Restrict outbound traffic only if your security policies require it.

To restrict outbound traffic, you can create specific outbound rules:

openstack security group rule create --proto tcp --dst-port <port_number> --egress --remote-ip <ip_address> <security_group_name>

Inbound Rules

Horizon DashboardOpenStack CLI

Inbound rules specify the types of incoming traffic allowed to reach instances within a security group. For example, allowing SSH traffic (port 22) or HTTP/HTTPS traffic (ports 80 and 443).

Adding Inbound Rules

• Navigate to Project > Network > Security Groups, select the security group you want to add inbound rules for and in the Actions column click Manage Rules.

• Click Add Rule and in the popup window that appears, fill the below for SSH:

  • Rule: SSH
  • Remote: CIDR
  • CIDR: 0.0.0.0/0 (to allow from any IP) or specify a specific IP range.

• For HTTP/HTTPS:

  • Rule: HTTP or HTTPS
  • Remote: CIDR
  • CIDR: 0.0.0.0/0 (to allow from any IP) or specify a specific IP range.

• Click Add and verify that you see the added rule(s) on the list.

Add SSH Rule:

openstack security group rule create --proto tcp --dst-port 22 --ingress --ethertype IPv4 <security_group_name>

Add HTTP Rule:

openstack security group rule create --proto tcp --dst-port 80 --ingress --ethertype IPv4 <security_group_name>

Add HTTPS Rule:

openstack security group rule create --proto tcp --dst-port 443 --ingress --ethertype IPv4 <security_group_name>

Add Custom Rules

Horizon DashboardOpenStack CLI

Apart from common cases like rules for SSH, HTTP or HTTPS you can also create custom security group rules both for inbound and outbound traffic, tailored to your specific needs. For example, you can open specific ports for custom applications or restrict access to certain IP ranges. For example to allow incoming TCP traffic on port 8080 from addresses within the 192.168.1.0/24 range fill the below:

• Rule: Custom TCP Rule
• Direction: Ingress
• Open Port: Port
• Port: 8080
• Remote: CIDR
• CIDR: 192.168.1.0/24

Add a custom rule to allow incoming TCP traffic on port 8080 from addresses within the 192.168.1.0/24 range:

openstack security group rule create --proto tcp --dst-port 8080 --ingress --remote-ip 192.168.1.0/24 <security_group_name>

Delete Rules

Horizon DashboardOpenStack CLI

• Navigate to Project > Network > Security Groups, select the security group you want to delete a rule for and in the Actions column click Manage Rules.
• Click Delete Rule next to the rule you want to remove. Confirm the deletion.

Find the rule ID you want to delete by listing rules:

openstack security group rule list <security_group_name>

Delete a rule:

openstack security group rule delete <rule_id>

Delete a Security Group

Horizon DashboardOpenStack CLI

• Navigate to Project > Network > Security Groups, select the security group you want to delete click Delete Security Groups. Confirm the deletion.

List security groups:

openstack security group list

Delete a security group:

openstack security group delete <security_group_id>

By following these instructions, you can effectively manage your security groups and their rules in OpenStack using both the Horizon Dashboard and the OpenStack CLI.