IBM Cloud Docs
Attaching security groups to a virtual network interface

Attaching security groups to a virtual network interface

Security groups give you a convenient way to apply rules that establish filtering to a target of a virtual server instance, based on its IP address. Virtual network interfaces can be a target for a security group.

You can add security groups to a VNI with the console, CLI, API, or Terraform.

Attaching a security group to a virtual network interface in the console

To add a security group to an existing virtual network interface, follow these steps.

  1. From your browser, open the IBM Cloud console and log in to your account.
  2. Select the Navigation menu Navigation menu icon, then click Infrastructure VPC icon > Network > Virtual network interfaces.
  3. Click the name of the virtual network interface that you want to add a security group to in the Virtual network interfaces for VPC table.
  4. Click the Attached resources tab.
  5. In the Security groups section, click Attach.
  6. In the Attach security group panel that appears, select a security group from the list.
  7. Click Attach to attach the security group to your virtual network interface, or click Cancel.

Attaching a security group to a virtual network interface from the CLI

Before you begin, set up your CLI environment.

Then run the following command:

ibmcloud is security-group-target-add GROUP TARGET [--vpc VPC] [(--trt load_balancer | endpoint_gateway | vpn_server | virtual_network_interface) | --in INSTANCE | --bm BARE_METAL_SERVER] [--output JSON] [-q, --quiet]

Where:

GROUP
ID or name of the security group.
TARGET
ID or name of the bound target resource for security group. The following types are supported target resource types: network_interface, load_balancer, endpoint_gateway, vpn_server, virtual_network_interface.
--trt value
The bound target resource type, this option is only required if you use the target name instead of ID. One of: load_balancer, endpoint_gateway, vpn_server, virtual_network_interface.

Command example

ibmcloud is security-group-target-add my-sg my-vni --trt virtual_network_interface

Attaching a security group to a virtual network interface from the API

  1. Set up your API environment with the right variables.

  2. Store any additional variables to be used in the API commands; for example:

    • version (string): The API version, in format YYYY-MM-DD.
    • security_group_id (string): The security group identifier.
    • virtual_network_interface_id (string): The virtual network interface identifier.

  3. When all variables are initiated, add the virtual network interface as a target of the security group:

    curl -X PUT \
"$vpc_api_endpoint/v1/security_groups/$security_group_id/targets/$virtual_network_interface_id?version=$version&generation=2" \
-H "Authorization: Bearer $iam_token"

Attaching a security group to a virtual network interface with Terraform

The following example adds a security group to a virtual network interface by using Terraform:

resource "ibm_is_security_group_target" "example" {
  security_group = ibm_is_security_group.example.id
  target         = ibm_is_virtual_network_interface.my_vni.id
}