On this page

Security Groups with CLI

Security Groups act as a virtual firewall for your instances to control inbound and outbound traffic.

Creating a Security Group

To create a new security group:

openstack security group create <name>

Example:

openstack security group create web-server-sg --description "Security group for web servers"

Once a security group is created, you need to define rules to allow traffic.

[NOTE] By default, egress rules are allowed for all traffic.

To allow SSH traffic (port 22) from anywhere:

openstack security group rule create --proto tcp --dst-port 22 web-server-sg

To allow HTTP traffic (port 80) from anywhere:

openstack security group rule create --proto tcp --dst-port 80 web-server-sg

To allow traffic from a specific IP range (CIDR):

openstack security group rule create --proto tcp --dst-port 80 --remote-ip 192.168.1.0/24 web-server-sg

To allow traffic from another security group:

openstack security group rule create --proto tcp --dst-port 80 --remote-group <other-sg-name> web-server-sg

First, list the rules to find the ID:

openstack security group rule list web-server-sg

Then delete the rule by ID:

openstack security group rule delete <rule-id>

You can assign security groups when launching an instance:

openstack server create --image <image> --flavor <flavor> --security-group web-server-sg my-instance

To add a security group to a running instance:

openstack server add security group <server-name> <security-group-name>

To remove a security group from a running instance:

openstack server remove security group <server-name> <security-group-name>

Security Measures

Managing Images with CLI