Security group

The security group is the firewall that will protect instances.
It manages network access permissions using a system of rules.

The default security group denies all incoming traffic and allows only outgoing traffic to your instance.

The rules of a security group are not fixed and can be modified at any time: by deleting or adding new rules.
Security groups can be used separately or by adding them.

Groups

Available security groups

You can list the existing groups in the project with openstack security group list.

$ openstack security group list 
+--------------------------------------+-----------------+------------------------+----------------------------------+------+
| ID                                   | Name            | Description            | Project                          | Tags |
+--------------------------------------+-----------------+------------------------+----------------------------------+------+
| 2d9d1210-78f9-47e4-87a5-68851cc9f5ec | nbgrader        |                        | 88ddbfbb9b7f4fe981ce214be524d401 | []   |
| ea78016d-725c-4e7a-9a80-8f9ab3dd0db2 | default         | Default security group | 88ddbfbb9b7f4fe981ce214be524d401 | []   |
| ee67a987-6e4e-4228-baac-0c5541e62631 | jupyterhub-test |                        | 88ddbfbb9b7f4fe981ce214be524d401 | []   |
+--------------------------------------+-----------------+------------------------+----------------------------------+------+

It is also possible to see in detail the rules defined in a security group by using openstack security group rule list <groupname>.

$ openstack security group rule list my-security-group
+--------------------------------------+-------------+-----------+------------+-----------------------+
| ID                                   | IP Protocol | IP Range  | Port Range | Remote Security Group |
+--------------------------------------+-------------+-----------+------------+-----------------------+
| 01e07f78-264d-478c-b100-fed022cc72ed | None        | None      |            | None                  |
| 22d0ff13-360b-4fbb-8a3a-82d3235cfe34 | tcp         | 0.0.0.0/0 | 22:22      | None                  |
| 45d6f8d3-ebca-485b-973f-62586c6859fc | None        | None      |            | None                  |
| ac5211e7-62c3-4e6c-af02-d09a60878f99 | tcp         | 0.0.0.0/0 | 80:80      | None                  |
| fd0fc114-421a-4686-8ae2-2ca44fcdfdfd | tcp         | 0.0.0.0/0 | 443:443    | None                  |
+--------------------------------------+-------------+-----------+------------+-----------------------+

How to create a new group ?

The creation of a new group is done using the openstack security group create <groupname> command, indicating the name of the security group.

For example: to create a group called my-security-group.

$ openstack security group create my-security-group

When it is created, the new group has no specific filtering rules.
So, you must add them according to your access needs to the instance.

Filtering

How to add a rule ?

The openstack security group rule list <groupname> command line lists every rules of a group.
You can add a new rule by using openstack security group rule create.

For example: we want to add a rule to allow ssh connection on instances.

In the first case, we only allow a given range of ip addresses:

$ openstack security group rule create my-security-group \
    --remote-ip 152.77.223.66/32 \
    --ingress \
    --dst-port 22 \
    --protocol tcp

In the second case, we allow access from IP addresses that coming from another security group (called other-security-group):

$ openstack security group rule create my-security-group \
    --protocol tcp \
    --dst-port 22 \
    --remote-group other-security-group

Thanks to the filtering rules, we choose which protocols are authorized and which ports are open and available: the visibility of the instances with the world is limited.

Example filter rule

In this part we give some examples of protocols and ports to open in order to authorize different connections.
Filters are applied to all ip addresses in the subnet: 0.0.0.0/0.

Rules for the TCP protocol

SSH access - port 22

To connect to an instance by using ssh, the security group must authorize the TCP protocol and port 22 must be open.

$ openstack security group rule create my-security-group \
    --protocol tcp \
    --dst-port 22 \
    --remote-ip 0.0.0.0/0

HTTP access - port 80

HTTP communication is only possible by authorizing the TCP protocol and opening port 80.

$ openstack security group rule create my-security-group \
    --protocol tcp \
    --dst-port 80 \
    --remote-ip 0.0.0.0/0

HTTPS access - port 443

The secure version of HTTP also communicates with the TCP protocol but using port 443.

$ openstack security group rule create my-security-group \
    --protocol tcp \
    --dst-port 443 \
    --remote-ip 0.0.0.0/0

Opening a range of ports

It is also possible to open a range of ports.
For example, NetBIOS uses ports 137-139.

$ openstack security group rule create my-security-group \
    --protocol tcp \
    --dst-port 137:139 \
    --remote-ip 0.0.0.0/0

Please, see the full list of TCP ports for other types of TCP connection.

Rules for ICMP

To authorize ping on instances, you must allow access to ICMP traffic:

$ openstack security group rule create my-security-group \
    --protocol icmp \

How to delete rule ?

You can remove a filtering rule by using:

$ openstack security group rule delete RULE_ID