Security Groups
Security groups act as virtual firewalls for your servers. Each security group contains a set of rules that define which network traffic is allowed to reach (ingress) or leave (egress) the servers it is attached to.
Security groups are project-scoped — you create them once and can apply them to any number of servers in your project.
Navigate to Cloud → Networking → Security Groups to manage them.
How security groups work
- Every server must have at least one security group attached.
- Rules are stateful — if you allow inbound traffic on port 443, the corresponding outbound response traffic is automatically allowed without needing a separate egress rule.
- Multiple security groups can be attached to a single server; rules from all attached groups are combined.
- By default, all inbound traffic is denied and all outbound traffic is allowed unless you specify otherwise.
The default security group
Every project has a default security group automatically applied to new servers. It allows all outbound traffic and permits inbound traffic only from servers that are also in the default group (allowing servers to communicate with each other).
You can modify the default group's rules, but you cannot delete it.
Creating a security group
- Click + Create Security Group.
- Enter a name (e.g.
web-servers,database) and an optional description. - Click Create.
The new group starts with default egress rules allowing all outbound traffic. Add ingress rules as needed.
Managing rules
Open a security group to see its Ingress Rules and Egress Rules tabs.
Adding a rule
Click + Add Rule and fill in:
| Field | Description |
|---|---|
| Protocol | TCP, UDP, ICMP, or Any |
| Direction | Ingress or Egress |
| Port / Range | Specific port (e.g. 22) or range (e.g. 8080-8090). Leave empty to match all ports. |
| Remote | A CIDR block (e.g. 203.0.113.0/24) or another security group |
Deleting a rule
Click the Delete icon next to any rule to remove it immediately.
Common configurations
Web server (HTTP + HTTPS + SSH)
| Direction | Protocol | Port | Remote |
|---|---|---|---|
| Ingress | TCP | 22 | Your office IP |
| Ingress | TCP | 80 | 0.0.0.0/0 |
| Ingress | TCP | 443 | 0.0.0.0/0 |
Database server (internal access only)
| Direction | Protocol | Port | Remote |
|---|---|---|---|
| Ingress | TCP | 3306 | web-servers (security group) |
This allows MySQL access only from servers in the web-servers security group — no public internet access.
Allow ping (ICMP)
| Direction | Protocol | Port | Remote |
|---|---|---|---|
| Ingress | ICMP | — | 0.0.0.0/0 |
Attaching to a server
Security groups can be attached:
- At creation time — in step 8 of the Create Server wizard.
- After creation — from the server's Security Groups page, click + Add Security Group and select from your existing groups.
You can attach and detach security groups from a running server without rebooting.