Security groups enable you to manage traffic to and from instances depending on your needs and your architecture.

Every instance, either in the public Cloud or in a Virtual Private Cloud (VPC), is launched behind at least one security group to which you can add or remove rules. For more information, see About Security Group Rules.

The following topics are discussed: 

General Information

A security group acts as a network virtual appliance for switching and firewalling that allows or denies inbound or outbound flows for one or more instances. It therefore enables instances to communicate with one another or with external services or devices depending on the rules you specify.

When launching an instance, you must specify one or more security groups to associate with it.

You cannot disassociate a security group from an instance or associate other security groups with it after the instance is launched. However, you can add or remove rules at any time to modify flow controls.

Security groups are allocated to either the public Cloud or to a specified VPC.

Default security groups are provided for the public Cloud and for each of your VPCs. Default security groups are named default and appear in the Security Groups page on Cockpit.


To identify your resources more easily, you can add tags to them. For more information, see Tagging Your Resources.

If you do not want to use the default security group for your instances, you can create your own custom ones. When creating them, you must choose between a security group for use in the public Cloud, or in a specific VPC. You can create several security groups depending on the different roles of your instances and the inbound and outbound flows they need. Each security group must have a unique name.

  • If you do not specify any security group when launching an instance, the corresponding default one is used.
  • If you intend to associate an instance with custom security groups, you need to create them before launching the instance.
    Cockpit lets you create one custom security group when launching an instance. For more information, see Creating / Launching Instances.

You can then add or remove rules for both default and custom security groups according to your architecture and your needs.

3DS OUTSCALE assigns an ID in the sg-xxxxxxxx format to every default or custom security group you create. Custom security groups belong to you and you can delete them at any time if needed. However, you cannot delete default ones.

 

 

Security Groups for the Public Cloud

If your instance is in the public Cloud, you can only use security groups allocated to the public Cloud. When launching an instance in the public Cloud, you must specify a security group that is in the same Region as the instance.

Security groups for use in the public Cloud let you specify rules for inbound flows only, and allow all outbound flows from the instances. As instances in the public Cloud have a public IP address, they can access the Internet.

3DS OUTSCALE provides for your account a default security group for use in the public Cloud. The initial inbound rules of this default security group only allow instances associated with the same security group to communicate with one another, in TCP, UDP, and ICMP protocols.

Custom security groups you create for use in the public Cloud do not contain any initial inbound rules.

For more information, see About Security Group Rules.




Security Groups for Virtual Private Clouds

If your instance is in a VPC, you can only use security groups allocated to this specific VPC.

Security groups in a VPC act at the instance level and not at the subnet level. They let you specify rules for both inbound and outbound flows.

When creating a VPC, 3DS OUTSCALE creates a default security group for use in this VPC. The initial inbound rules of these default security groups only allow instances associated with the same security group to communicate with one another, in TCP, UDP, and ICMP protocols.


Default security groups in VPCs are created with outbound rules allowing all outbound flows.

Custom security groups you create for use in a VPC do not contain any initial inbound rules and contain an initial outbound rule that allows all outbound flows.

Initial outbound rules allow all outbound flows including to the Internet, but instances cannot access the Internet until an Internet gateway is attached to the VPC and the 0.0.0.0/0 CIDR is routed to the Internet gateway.

For more information, see About Security Group Rules.