RamNode logo
    Sign UpLogin
    Back to Cloud VPS Documentation

    Cloud Firewall & Security Groups

    Virtual firewalls to control network access at the instance level

    Overview

    Security groups act as virtual firewalls for your cloud instances, controlling inbound and outbound network traffic at the instance level. They provide network-level security by filtering traffic based on rules you define.

    Unlike traditional firewalls that operate on the instance itself, security groups are applied at the cloud infrastructure level, providing an additional layer of defense before traffic even reaches your server.

    How Security Groups Work

    Security groups in OpenStack work differently than traditional firewalls. They consist of ingress (inbound) and egress (outbound) rules that permit traffic.

    Default Behavior

    • • All egress (outbound) traffic is allowed
    • • All ingress (inbound) traffic is denied
    • • Rules are "allow" only (not "deny")

    Stateful Firewall

    • • Return traffic is automatically allowed
    • • No need to create egress rules for responses
    • • Tracks connection state

    Important

    The default security group allows all traffic. If you want to restrict access, create a new security group with custom rules and apply it to your instance.

    Creating a Security Group

    Step 1: Access Network Settings

    1. Log into the Cloud Control Panel
    2. Navigate to Network → Security Groups

    Step 2: Create New Group

    1. Click Create Security Group
    2. Give your security group a descriptive name (e.g., "web-servers" or "database-tier")
    3. Add a description explaining the purpose
    4. Click Create

    Your new security group is created but has no rules yet. You'll need to add rules to allow traffic.

    Adding Firewall Rules

    Step 3: Configure Rules

    After creating a security group, add rules to allow specific traffic:

    1. Click on your security group name
    2. Click Add Rule
    3. Configure the rule parameters
    4. Click Add to save the rule

    Rule Parameters

    Rule

    Select a preset (SSH, HTTP, HTTPS, etc.) or choose Custom for specific configurations

    Direction

    Ingress (inbound to instance) or Egress (outbound from instance)

    Protocol

    TCP, UDP, ICMP, or Any protocol

    Port Range

    Single port (e.g., 22) or range (e.g., 8000-9000)

    Remote

    CIDR block (e.g., 0.0.0.0/0 for all, or 192.168.1.1/32 for specific IP)

    Common Security Group Rules

    SSH Access

    Direction:

    Ingress

    Protocol:

    TCP

    Port:

    22

    Remote:

    Your IP or 0.0.0.0/0

    Web Server (HTTP/HTTPS)

    Direction:

    Ingress

    Protocol:

    TCP

    Ports:

    80 (HTTP), 443 (HTTPS)

    Remote:

    0.0.0.0/0 (all IPs)

    Ping (ICMP)

    Direction:

    Ingress

    Protocol:

    ICMP

    Type:

    -1 (all ICMP types)

    Remote:

    0.0.0.0/0

    Applying Security Groups to Instances

    Step 4: Apply to Instance

    1. Go to the Instances tab
    2. Click on your instance
    3. Go to the Security Groups tab
    4. Click Edit Security Groups
    5. Add or remove security groups as needed
    6. Click Save

    Changes take effect immediately. You can apply multiple security groups to a single instance, and rules from all groups are combined.

    Security Best Practices

    Restrict SSH Access

    Limit SSH (port 22) to your specific IP address instead of 0.0.0.0/0. This prevents unauthorized access attempts from the internet.

    # Example: Only allow SSH from your office IP
Remote: 203.0.113.10/32

    Use Multiple Security Groups

    Create separate groups for different services (web, database, monitoring) to organize and manage rules more effectively.

    Principle of Least Privilege

    Only open ports that are absolutely necessary. Close unused services and remove rules that are no longer needed.

    Regular Audits

    Periodically review your security group rules to ensure they're still relevant and appropriately configured.

    Document Your Rules

    Use descriptive names and descriptions for security groups. This helps team members understand the purpose of each rule.

    Security Warning

    Allowing SSH access from 0.0.0.0/0 (anywhere) exposes your instance to brute force attacks. Always use strong passwords or SSH keys, and strongly consider restricting access to specific IP addresses or VPN networks.

    Pro Tip

    Security groups work alongside instance-level firewalls (like iptables or ufw). For maximum security, configure both: use security groups for broad network filtering and instance firewalls for fine-grained control.