Security Groups

Security groups are a collection of security rules that are applied on specific VM.

Security rules in OpenStack serve as a Firewall. They are applied directly on VM ports and therefore proper configuration is necessary. Ingress as well as egress rules can be configured using Horizon and CLI. If you can’t connect via SSH or ping your instance, chances are it is because of security rules.

Every OpenStack project contains the default security group containing only set of egress rules (in the Horizon, refer to Project / Network / Security Groups). If you accidentally delete default egress rules, your virtual machine will not be able to send outgoing communication. To fix this, add a new egress rule with any IP protocol and port range, set Remote IP prefix to 0.0.0.0/0 (IPv4) or ::/0 (IPv6).

Example configuration is available on page Managing security groups. For full CLI reference please refer to OpenStack docs.

Also refer to the example of new Security group creation containing custom rules within VM provisioning CLI example.

Recommendations

It is recommended to keep the default security group unchanged. If additional access rules are needed, custom security groups should be created and named appropriately instead of modifying the default group. When defining ingress TCP or UDP rules, it is also recommended to explicitly list each allowed port rather than using port ranges.