Support Search
Try RightScale for free
RightScale Cloud Management Support Portal > Guides > Dashboard Users Guide > Clouds > Generic > Security Groups > Actions > Create a New Security Group

Create a New Security Group

    Objective

    To create a new security group (or groups) to use with servers in deployments.

    Table of Contents

    1. 1. Objective
    2. 2. Prerequisites
    3. 3. Overview
    4. 4. Steps
      1. 4.1. Create a New Security Group
      2. 4.2. Add IP-Address-Based Permissions
      3. 4.3. Add Group-Based Permissions
      4. 4.4. Troubleshooting Security Groups
    5. 5. See also

    Prerequisites

    • Adding and editing security groups requires the "security_manager" role.  See User Role Privileges.

    Note: The "security_manager" role also enables you to run Infrastructure Audit reports (which include security group audit trail information).

    Overview

    Security groups are essentially firewalls for servers in the cloud. They define which ports are open to allow incoming connections to a server via specific protocols. Security groups only affect ingress (incoming) communications and do not prevent a server from initiating outbound communications.

    Each server must have at least one security group assigned. By default, a new security group set up with no associated rules will deny all access to its associated servers. You must add rules in order to allow inbound traffic to the servers.

    Security groups give you a flexible way to restrict server access, allowing you to set restrictions specific to particular protocols, ports, IP addresses, or combinations of these. Permissions defined in a security group are additive in nature; so, if a server has two security groups where one group has port 80 open and the other group has port 80 closed, port 80 will be open (not closed) on the server.

    Steps

    Create a New Security Group

    1. In the RightScale Dashboard, go to Clouds -> CloudName -> Security Groups -> New. 

    2. Provide a name and description for your security group.

    screen-SecurityGroupName-v1.png

    3. Click Create.

    Add IP-Address-Based Permissions

    You will need to open ports to provide access to any servers that are in this security group. In this example, we will enter rules common to a single LAMP server requiring both SSH access and the ability to browse to the server from any source IP address. (Your specific requirements may differ, but the setup steps will be similar.) To open port 22 for your security group:

    1. Under "Permissions" in your security group properties, enter the following:

    • Leave the protocol set to "tcp."
    • Specify the allowed source IP address or range in CIDR notation. To allow any IP addresses, enter: 0.0.0.0/0.
    • Enter the TCP port range: 22 and 22.
      Important!  Whether specifying an actual range of ports or a single port number, you must fill in both port fields in your "Add IPs" rule. Port ranges are inclusive; thus, creating a new "Add IPs" rule referencing ports 22 and 80 opens all ports from 22 to 80.


    screen-SGGroupAddIP.png

    2. Click Add to add your new rule. The new entry is added to the "Permissions" section in the security group properties.

    You can repeat the above steps to add additional rules for other needed services—for example, to open port 80 for HTTP browsing, or 443 if SSL (HTTPS) is required.

    You can click the Revoke button to remove a rule from the security group.

    The Audit Entries tab in your security group properties shows activity such as the creation of the security group, along with all updates.

    Add Group-Based Permissions

    Use the "Add Group" feature to add security groups to other security groups or to add a security group to itself. This feature grants group-wide access permissions that apply to all servers in the added group. 

    Troubleshooting Security Groups

    When experiencing communications issues with servers in a deployment, you may need to troubleshoot your security group settings. The following is a list of common issues often associated with the setup and configuration of security groups.

    • Ports not opened correctly
      • No website access? Port 80 may be closed.
      • SSH sessions fail? Port 22 may be closed. (For non-RightLink-enabled machine images, incorrect or absent SSH keys can affect operational and decommissioning RightScripts also.)
      • No SSL support?  Port 443 may be closed.
    • Accidental use of /32 in CIDR IP address notation, instead of a less restrictive /0.
    • If too many ports are open on your server, you may have specified a range of ports when trying to specify a single port in your security group (e.g., ports 80 through 8000 instead of only ports 80 and 8000).
    • If servers within a security group are not communicating correctly, you may need to either explicitly open the communications ports to all IP addresses, or add the security group to itself, which allows all servers in the security group to communicate with each other.
    Powered by MindTouch