Security Group Rule Management

Owned by Chung, Donald (STFC,RAL,SC)
Last updated: Aug 16, 2023 by Chris Green
17 min read

Security Group Rules define which traffic is allowed to instances assigned to the security group. A security group rule consists of three main parts:

  • Rule: You can specify the desired rule template or use custom rules, the options are Custom TCP Rule, Custom UDP Rule, or Custom ICMP Rule.

  • Open Port/Port Range: For TCP and UDP rules you may choose to open either a single port or a range of ports. Selecting the "Port Range" option will provide you with space to provide both the starting and ending ports for the range. For ICMP rules you instead specify an ICMP type and code in the spaces provided.

  • Remote: You must specify the source of the traffic to be allowed via this rule.

    • You may do so either in the form of an

      • IP address block (CIDR)

      • or via a source group (Security Group). Selecting a security group as the source will allow any other instance in that security group access to any other instance via this rule.

Add rule

Web Interface

  1. In Web Interface(https://openstack.stfc.ac.uk/auth/login/?next=/) go to Network->Security Groups,  select the Security Groups you wish to edit.

  2. Click MANAGE RULES

  3. Click ADD RULE 

  4. Input the following:

    • Rule: TCP, UDP or ICMP

    • Direction

      • Ingress

      • Egress 

    • Open Port:

      • Port

      • Port Range

    • Port

      • the port number

      • You will see From port  and To port filed if you selected PORT RANGE 

    • Remote (Source IP)

      • CIDR

        • Input the IP range

      • SECURITY GROUP

        •  Select the Security group

  1. Click ADD 

Command-Line

Check existing security group

$ openstack security group list +--------------------------------------+-------------------------+----------------------------------------------+----------------------------------+------+ | ID | Name | Description | Project | Tags | +--------------------------------------+-------------------------+----------------------------------------------+----------------------------------+------+ | c7e90937-af11-484c-8a21-90bea10e1407 | 1-group-rule-management | | 80ab2bd11e5f46bf96bf47658d07499d | [] | +--------------------------------------+-------------------------+----------------------------------------------+----------------------------------+------+



Check existing rules in a security group

$ openstack security group rule list 1-group-rule-management +--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+ | ID | IP Protocol | Ethertype | IP Range | Port Range | Direction | Remote Security Group | Remote Address Group | +--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+ | 33cd09ee-0e9b-4ce3-b028-7e24f9604431 | None | IPv6 | ::/0 | | egress | None | None | | 7969c6ae-dec0-4071-935e-6a81e7d8ec5c | None | IPv4 | 0.0.0.0/0 | | egress | None | None | +--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+

Create security group rule



Argument

Description

example

Argument

Description

example

<security-group-name>

Name of the security group 

1-group-rule-management

<rule>

The protocol: TCP, UDP or ICMP

tcp

<port-range>

The range of ports to apply the rule: from_port:to_port

89:90

<ip-range>

The source IP range for the rule

 0.0.0.0/0

<security-grouo>

Name of the source security group

1-group-rule-management

 [--ingress | --egress]

Ingress rule or egress rule (default is --ingress)

--ingress

  • based on traffic source IP

    openstack security group rule create <security-group-name> --protocol <rule> --dst-port <port-range> --remote-ip <ip-range> [--ingress | --egress] #example $ openstack security group rule create 1-group-rule-management --protocol tcp --dst-port 89:90 --remote-ip 0.0.0.0/0 $ openstack security group rule list 1-group-rule-management +--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+ | ID | IP Protocol | Ethertype | IP Range | Port Range | Direction | Remote Security Group | Remote Address Group | +--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+ | 33cd09ee-0e9b-4ce3-b028-7e24f9604431 | None | IPv6 | ::/0 | | egress | None | None | | 7969c6ae-dec0-4071-935e-6a81e7d8ec5c | None | IPv4 | 0.0.0.0/0 | | egress | None | None | | 7f4e2c68-a369-4be8-8491-561cccffc90c | tcp | IPv4 | 0.0.0.0/0 | 89:90 | ingress | None | None | +--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+



  • based on source security group



Delete Rules

Web Interface

  1. In Web Interface(https://openstack.stfc.ac.uk/auth/login/?next=/ ) go to Network->Security Groups,  select the Security Groups you wish to edit.

  2. Click MANAGE RULES

  3. Click DELETE RULE 

  4. Click DELETE RULES to confirm delete  

Command-line

Get the security group name and the ID of the rule

Run





Security Group Rules define which traffic is allowed to instances assigned to the security group. A security group rule consists of three main parts:

  • Rule: You can specify the desired rule template or use custom rules, the options are Custom TCP Rule, Custom UDP Rule, or Custom ICMP Rule.

  • Open Port/Port Range: For TCP and UDP rules you may choose to open either a single port or a range of ports. Selecting the "Port Range" option will provide you with space to provide both the starting and ending ports for the range. For ICMP rules you instead specify an ICMP type and code in the spaces provided.

  • Remote: You must specify the source of the traffic to be allowed via this rule.

    • You may do so either in the form of an

      • IP address block (CIDR)

      • or via a source group (Security Group). Selecting a security group as the source will allow any other instance in that security group access to any other instance via this rule.

Add rule

Web Interface

  1. In Web Interface(https://openstack.stfc.ac.uk/auth/login/?next=/) go to Network->Security Groups,  select the Security Groups you wish to edit.

  2. Click MANAGE RULES

  3. Click ADD RULE 

  4. Input the following:

    • Rule: TCP, UDP or ICMP

    • Direction

      • Ingress

      • Egress 

    • Open Port:

      • Port

      • Port Range

    • Port

      • the port number

      • You will see From port  and To port filed if you selected PORT RANGE 

    • Remote (Source IP)

      • CIDR

        • Input the IP range

      • SECURITY GROUP

        •  Select the Security group

  1. Click ADD 

Command-Line

Check existing security group



Check existing rules in a security group

Create security group rule



Argument

Description

Example

Argument

Description

Example

<security-group-name>

Name of the security group 

1-group-rule-management

<rule>

The protocol: TCP, UDP or ICMP

tcp

<port-range>

The range of ports to apply the rule: from_port:to_port

89:90

<ip-range>

The source IP range for the rule

 0.0.0.0/0

<source-security-group>

Name of the source security group

9200-Elastic-Search

 [--ingress | --egress]

Ingress rule or egress rule (default is --ingress)

--ingress

  • based on traffic source IP



  • based on source security group





Delete Rules

Web Interface

  1. In Web Interface(https://openstack.stfc.ac.uk/auth/login/?next=/) go to Network->Security Groups,  select the Security Groups you wish to edit.

  2. Click MANAGE RULES

  3. Click DELETE RULE 

  4. Click DELETE RULES to confirm delete  

Command-line

Get the security group name and the ID of the rule

Run