Skip to main content

Overview

Security groups are stateful virtual firewalls attached to instance network interfaces. Each group contains a set of rules that permit specific traffic by protocol, port range, and source or destination. Rules apply symmetrically — return traffic for permitted connections is automatically allowed without an explicit egress rule.
Prerequisites
  • An active Xloud project with member or admin role
  • At least one running or planned instance to attach the group to
  • CLI users: Xloud CLI configured and credentials sourced

Default Behavior

Every project includes a default security group applied automatically to new instances unless another group is specified.
DirectionDefault RuleEffect
EgressAllow all (any protocol, any destination)Instance can reach any external address
IngressDeny all (no explicit permit rules)No inbound traffic is permitted unless rules are added
Intra-groupAllow from same group membersInstances sharing the default group can communicate
Never add an Allow All ingress rule (0.0.0.0/0 on all ports) to a production security group. Restrict access to the minimum required CIDRs and ports.

Common Rules Reference

ServiceProtocolPort / TypeDirectionRecommended Source
SSHTCP22IngressManagement CIDR
HTTPTCP80Ingress0.0.0.0/0
HTTPSTCP443Ingress0.0.0.0/0
ICMP PingICMPIngress0.0.0.0/0 or management CIDR
RDPTCP3389IngressManagement CIDR
MySQL / MariaDBTCP3306IngressApplication security group
PostgreSQLTCP5432IngressApplication security group
Custom TCP rangeTCPe.g. 8000-8080IngressSpecific CIDR
Use a security group as the source (instead of a CIDR) when the source instances are in your project. This allows dynamic membership — adding instances to the source group automatically grants access without updating CIDR ranges.

Create a Security Group

Navigate to Security Groups

Log in to the Xloud Dashboard (https://connect.<your-domain>) and navigate to Project → Network → Security Groups.

Create the group

Click Create Security Group. Fill in the fields:
FieldDescription
NameDescriptive name, e.g. web-tier, db-access
DescriptionPurpose of the group — shown in the list view
Click Create Security Group. The group is created with default egress-allow rules.

Add inbound rules

In the security group list, click Manage Rules next to the new group, then click Add Rule:
FieldDescription
RulePreset (SSH, HTTP, HTTPS) or Custom TCP/UDP/ICMP
DirectionIngress for inbound, Egress for outbound
Port RangeSingle port or range (e.g. 443 or 8000:8080)
RemoteCIDR block or another security group
The new rule appears in the group’s rule list immediately.

Apply a Security Group to an Instance

Open instance actions

Navigate to Project → Compute → Instances. In the instance row, open the Actions dropdown and select Edit Security Groups.

Add the group

In the Edit Instance dialog, locate the security group in the All Security Groups list and click the + button to move it to Instance Security Groups.

Save

Click Save. Changes apply immediately — no reboot is required.
The security group appears in the instance’s security group list.

Validation

Navigate to Project → Compute → Instances, click the instance name, and scroll to the Security Groups section. Confirm the target group is listed.
The security group and its rules are visible in the instance detail view.

Next Steps

Launch an Instance

Attach security groups at instance creation time

Manage IP Addresses

Allocate floating IPs and configure external access

Xloud Networking

Create networks, subnets, and routers for your project

Compute User Guide

Overview of all compute operations and instance lifecycle management