Configure security groups and rules

 

To configure security groups

  1. To list all security groups

    To list security groups for the current project, including descriptions, enter the following command:

    $ nova secgroup-list
  2. To create a security group

    To create a security group with a specified name and description, enter the following command:

    $ nova secgroup-create SEC_GROUP_NAME GROUP_DESCRIPTION
  3. To delete a security group

    To delete a specified group, enter the following command:

    $ nova secgroup-delete SEC_GROUP_NAME 
    [Note]Note

    You cannot delete the default security group for a project. Also, you cannot delete a security group that is assigned to a running instance.

 

To configure security group rules

Modify security group rules with the nova secgroup-*-rule commands.

  1. On a shell, source the OpenStack RC file. For details, see the section called “OpenStack RC file”.

  2. To list the rules for a security group

    $ nova secgroup-list-rules SEC_GROUP_NAME
  3. To allow SSH access to the instances

    Choose one of the following sub-steps:

    1.  

      Add rule for all IPs

      Either from all IP addresses (specified as IP subnet in CIDR notation as 0.0.0.0/0):

      $ nova secgroup-add-rule SEC_GROUP_NAME tcp 22 22 0.0.0.0/0
    2.  

      Add rule for security groups

      Alternatively, you can allow only IP addresses from other security groups (source groups) to access the specified port:

      $ nova secgroup-add-group-rule --ip_proto tcp --from_port 22 \
           --to_port 22 SEC_GROUP_NAME SOURCE_GROUP_NAME
  4. To allow pinging the instances

    Choose one of the following sub-steps:

    1. To allow pinging from IPs

      Specify all IP addresses as IP subnet in CIDR notation: 0.0.0.0/0. This command allows access to all codes and all types of ICMP traffic, respectively:

      $ nova secgroup-add-rule SEC_GROUP_NAME icmp -1 -1 0.0.0.0/0
    2. To allow pinging from other security groups

      To allow only members of other security groups (source groups) to ping instances:

      $ nova secgroup-add-group-rule --ip_proto icmp --from_port -1 \
           --to_port -1 SEC_GROUP_NAME SOURCE_GROUP_NAME
  5. To allow access through UDP port

    To allow access through a UDP port, such as allowing access to a DNS server that runs on a VM, complete one of the following sub-steps:

    1. To allow UDP access from IPs

      Specify all IP addresses as IP subnet in CIDR notation: 0.0.0.0/0.

      $ nova secgroup-add-rule SEC_GROUP_NAME udp 53 53 0.0.0.0/0
    2. To allow UDP access

      To allow only IP addresses from other security groups (source groups) to access the specified port:

      $ nova secgroup-add-group-rule --ip_proto udp --from_port 53 \
            --to_port 53 SEC_GROUP_NAME SOURCE_GROUP_NAME
  6. To delete a security group rule, specify the same arguments that you used to create the rule.

    To delete the security rule that you created in Step 3.a:

    $ nova secgroup-delete-rule SEC_GROUP_NAME tcp 22 22 0.0.0.0/0

    To delete the security rule that you created in Step 3.b:

    $ nova secgroup-delete-group-rule --ip_proto tcp --from_port 22 \
         --to_port 22 SEC_GROUP_NAME SOURCE_GROUP_NAME