Security Groups only allow the filtering of public traffic to and from your Instances. To filter traffic within a Private Network, you can configure a firewall directly on your Instance.
How to use security groups
Security groups act as firewalls, filtering public internet traffic on your Instances. They can be stateful or stateless, and allow you to create rules to drop or allow traffic to and from your Instance. On this page, we show you how to create, edit, and configure a security group via the Scaleway console.
Before you start
To complete the actions presented below, you must have:
- A Scaleway account logged into the console
- Owner status or IAM permissions allowing you to perform actions in the intended Organization
- An Instance
How to create a security group
- Click Instances in the Compute section of the side menu. The Instances page displays.
- Click the Security groups tab. The Security groups dashboard displays.
Note
You will see that at least one Default security group already exists in your account. A default security group is auto-generated for each Availability Zone you have created Instances in. All your Instances within that Availability Zone are automatically added to that default security group unless you specify a different configuration.
- Click + Create security group to launch the security group creation wizard.
- Complete the following steps:
- Choose a Name for your security group or keep the randomly generated suggestion. Optionally, add a description.
- Choose an Availability Zone, which is the geographical location in which your security group will be created. Only Instances from the same Availability Zone can be added to this security group.
- Define the inbound and outbound rules that will be applied to your security group, including whether you wish to enable SMTP ports. Learn how to choose security group settings.
- Select the Instances you wish to add to the security group.
- Click Create security group to finish. Your security group is created, and you are redirected to the Security groups tab, where it now appears.
How to edit a security group
-
Click Instances in the Compute section of the side menu. The Instances page displays.
-
Click the Security groups tab. The Security groups dashboard displays.
-
Click the security group you want to edit. Alternatively, click the «See more Icon» icon to the right of the security group in question, and select More info. You are taken to the dashboard for that security group.
-
Navigate to the required tab depending on the edit you want to make:
On the Overview tab, you can:
- Set/unset this security group as the project default,
- Enable/disable SMTP for outgoing emails,
- Enable/disable stateful group rules,
- Delete the security group.
On the Instances tab, you can:
- Link Instances to this security group, using the drop-down menu,
- Unlink Instances from the security group, using the «Unlink Icon» button.
On the Rules tab, you can:
- Set default inbound and outbound policies, by clicking «Edit Icon» and choosing drop or accept for inbound and outbound traffic.
- Create, edit, or delete rules to drop or incoming traffic from defined sources:
- Click «Edit Icon»,
- Click the Add inbound rule or Add outbound rule buttons that appear,
- Create your rule and click «Validate Icon» when you have finished confirming the new rule.
See How to choose security group settings for more information on these choices.
How to choose security group settings
Enabling SMTP
By default, SMTP ports are blocked for security reasons to prevent email spam. This means that you cannot send outgoing emails from the Instance. We recommend leaving this default setting unless you specifically need to send emails from your Instance.
To enable or disable SMTP for a security group, follow the instructions for how to edit a security group and check the relevant box in the Overview tab at step 4.
Enabling stateful groups
By default, security groups created via the console are stateful. To disable or re-enable stateful groups, follow the instructions for editing a security group and check the relevant box in the Overview tab at step 4.
- Stateless: These strictly enforce the default policy and inbound/outbound rules, regardless of whether a connection is initiated from your Instance. Learn more about stateless security groups.
- Stateful: These disregard the default policy and inbound/outbound rules if a connection is initiated from your Instance. Learn more about stateful security groups.
Setting default inbound and outbound policies
You can set default policies to drop or accept all inbound traffic, and drop or accept all outbound traffic. We recommend blocking incoming traffic by default to prevent intrusions. To change your default inbound and outbound policies, follow the instructions for how to edit a security group, checking the relevant boxes in the Rules tab at step 4.
Creating inbound and outbound rules
You can create customized inbound and outbound rules to drop or accept traffic on particular protocols, ports, and IP ranges. To do so, follow the instructions for how to edit a security group, by clicking the edit icon in the Rules tab in step 4.
For each rule, choose the following options:
- Rule: The value can either be Drop to drop connections that match the rule or Accept to accept these connections.
- Protocol: This field specifies the protocol on which the rule applies. The value can either be TCP, UDP, or ICMP.
- Port: This field specifies the port on which the rule applies. If the All Ports box is checked, the rule applies to all ports.
- IP Range: The IP range in CIDR notation on which the rule applies.