| copyright | lastupdated | keywords | subcollection | ||
|---|---|---|---|---|---|
|
2019-09-30 |
security groups, traffic, firewall, stateful, filtering |
vpc |
{:shortdesc: .shortdesc} {:new_window: target="_blank"} {:codeblock: .codeblock} {:pre: .pre} {:screen: .screen} {:tip: .tip} {:note: .note} {:download: .download} {:DomainName: data-hd-keyref="DomainName"}
{: #using-security-groups}
Security groups give you a convenient way to apply rules that establish filtering to each network interface of a virtual server instance, based on IP address. When you create a security group, you configure it to create the network traffic patterns you want. {:shortdesc}
By default, a security group denies all traffic. As rules are added to a security group, it defines the traffic that the security group permits.
Rules are stateful, which means that reverse traffic in response to allowed traffic is automatically permitted. For example, you create a rule to allow inbound TCP traffic on port 80. The rule also allows replying outbound TCP traffic on port 80 back to the originating host, without the need for another rule.
Security groups are scoped to a single VPC. This scoping implies that a security group can be attached only to network interfaces of instances within the same VPC.
When an instance is created and no security groups are specified, the instance's primary network interface is attached to the default security group of that instance's VPC. For more information, see Updating the default security group.
You can set up security groups by using the UI, CLI, or REST API: