IBM Cloud Docs
Setting up a security group for your resource

Setting up a security group for your resource

You can configure security groups to define the inbound and outbound traffic that is allowed for your resource. For example, after you configure ACL rules for the subnet based on your company's security policies, you can further restrict traffic for specific instances depending on their workloads.

Setting up the security groups for your resource in the UI

To configure your security group by using the UI, follow these steps:

  1. From your browser, open the IBM Cloud console.

  2. Select the Navigation Menu iconmenu icon, then click VPC Infrastructure.

  3. Click Security groups.

  4. Click Create + on the security groups list table.

  5. In the Location section, provide the following information:

    • Geography - Indicate the general area where you want the security group created.
    • Region - Indicate the region where you want the security group created.

  6. In the Details section, provide the following information:

    • Name - Enter a unique identifier for the security group, such as my-security-group.
    • Resource group: Select a resource group for the security group.

    After provisioning is complete, you cannot change the resoure group.

    • Tags - Add user tags. User tags are visible account-wide. For more information, see Working with tags.

    User tags are visible account-wide. Avoid including sensitive data in the tag name.

    • Optional: Access management tags - Add access management tags to help organize access control relationships. For more information, see Controlling access to resources by using tags.
    • Optional: Virtual private cloud - Select your VPC.

  7. Under Rules, click Create to configure inbound and outbound rules that define what type of traffic is allowed to and from the instance. For each rule, specify the following information:

    • Select the protocols and ports to which the rule applies.
    • Specify a CIDR block or IP address for the permitted traffic. Alternatively, you can specify a security group in the same VPC to allow traffic to or from all instances that are attached to the selected security group.

    Tips:

    • All rules are evaluated, regardless of the order in which they're added.
    • Rules are stateful, which means that return traffic in response to allowed traffic is automatically permitted. For example, you created a rule that allows inbound TCP traffic on port 80. That rule also allows replying outbound TCP traffic on port 80 back to the originating host, without the need for another rule.
    • For Windows images, make sure that the security group that is associated with the instance allows inbound and outbound Remote Desktop Protocol traffic (TCP port 3389).

  8. Optional: Attach interfaces, bare metal interfaces, load balancers, virtual private endpoint gateways, and VPN servers in the remaining sections if these targets are available to attach.

Setting up the security groups for your resource from the CLI

In this example, you create a virtual server instance with a security group that is enabled by using the command-line interface (CLI). Figure 1 shows what this scenario looks like.

Figure showing a virtual server instance with a security group enabled
Figure 1. Instance with security group enabled

Notice in Figure 1 that the instance named SG4 has the floating IP 169.60.208.144 assigned to it, in addition to its internal VPC address 10.10.10.5; therefore, SG4 can talk to the public internet. The security group assigned to instance SG4 is named demosg.

The instance SG8 is internal-only to the VPC, with a private IP address. The security group assigned to instance SG8 is named my_vpc_sg. Both of these instances exist within the VPC named sgvpc and also on the same subnet 10.10.10.0/24 so they can communicate with each other.

Creating a resource with a security group attached

The security group rules for my_vpc_sg include the basic functions of SSH, PING, and outbound TCP.

Notice that you must create the security group first, with the ibmcloud is sgc command, and then create the resource that uses this security group.

You must enter ibmcloud plugin install vpc-infrastructure to get access to ibmcloud is. For detailed information about creating a VPC and subnet, see Creating VPC resources with the CLI.

You can copy and paste commands from this example CLI code to begin creating an instance with an attached security group. System responses are not shown completely in this sample code. You must update your commands with the correct resource IDs for your VPC, subnet, image, key, and the correct security group ID number.

  1. Create a security group called my_vpc_sg:

    ibmcloud is security-group-create my_vpc_sg $vpc

    Save the ID in a variable so you can use it later; for example, in a variable named sg:

    sg=0738-2d364f0a-a870-42c3-a554-000000632953

  2. Add rules to allow SSH, PING, and outbound TCP:

    ibmcloud is security-group-rule-add $sg inbound tcp --port-min 22 --port-max 22
ibmcloud is security-group-rule-add $sg inbound icmp --icmp-type 8 --icmp-code 0
ibmcloud is security-group-rule-add $sg outbound tcp

  3. Finally, create an instance with the security group:

    ibmcloud is instance-create test-instance $vpc us-south-2 b-4x16 $subnet 1000 \
--image $image --keys $key --sgs $sg

Command list cheat sheet

For a complete list of the available VPC CLI commands for security groups, enter:

ibmcloud is help | grep sg

To see your security group and its metadata, including rules, you can enter (for the previous example):

ibmcloud is sg $sg

To add a security group rule, here's an example command for adding a PING inbound rule to a security group:

ibmcloud is security-group-rule-add $sg inbound icmp --icmp-type 8 --icmp-code 0

For more information about setting up security groups by using the CLI, see Setting up your API and CLI environment.

Setting up the security groups for your resource with the API

The following example demonstrates how to create and manage security groups by using the IBM Cloud VPC APIs.

To use security groups, first you must have a running IBM Cloud VPC.

For instructions about creating a VPC and subnet, see Creating a VPC.

Step 1: Create a security group

Create a security group named my-security-group in your IBM Cloud VPC.

curl -X POST "$vpc_api_endpoint/v1/security_groups?version=$api_version&generation=2" \
  -H "Authorization: $iam_token" \
  -d '{
        "name": "my-security-group",
        "vpc": { "id": "'$vpc'" }
      }'

Save the ID in a variable so you can use it later; for example, the variable sg:

sg=0738-2d364f0a-a870-42c3-a554-000000632953

Step 2: Add a rule to allow SSH connections

Create a rule on the security group to allow inbound connections on port 22.

curl -X POST "$vpc_api_endpoint/v1/security_groups/$sg/rules?version=$api_version&generation=2" \
  -H "Authorization: $iam_token" \
  -d '{
        "direction": "inbound",
        "protocol": "tcp",
        "port_min": 22,
        "port_max": 22
      }'

Step 3: Delete the security group (optional)

To clean up the security group, it cannot be associated with any network interfaces, and it cannot be referenced by a rule in a different security group.

curl -X DELETE "$vpc_api_endpoint/v1/security_groups/$sg?version=$api_version&generation=2" \
  -H "Authorization: $iam_token"

For more information about setting up your security group with the API, see Security groups.