Skip to main content

Overview

Security groups are stateful, per-port firewall rulesets enforced at the hypervisor level. Every instance begins with a default security group that blocks all inbound traffic. Add rules to permit the specific protocols your workload requires — changes take effect immediately without a restart or interface bounce.
Prerequisites
  • An active Xloud project with at least one running instance
  • Dashboard access or CLI configured with valid credentials

Create a Security Group

Navigate to Security Groups

Log in to the Xloud Dashboard (https://connect.<your-domain>) and navigate to Project → Network → Security Groups. Click Create Security Group.

Name the group

FieldDescription
NameShort, descriptive name, e.g., web-sg
DescriptionOptional — e.g., “HTTP/HTTPS for web tier”
Each new security group automatically includes two egress rules that allow all outbound IPv4 and IPv6 traffic. Add ingress rules for the specific ports your workload exposes.

Add ingress rules

Open the new group and click Add Rule. Repeat for each required rule.
DirectionProtocolPort RangeRemotePurpose
IngressTCP800.0.0.0/0HTTP
IngressTCP4430.0.0.0/0HTTPS
IngressTCP22<your-office-CIDR>SSH management
IngressICMPAny0.0.0.0/0Ping and diagnostics
Avoid rules with remote 0.0.0.0/0 for SSH (port 22) in production. Restrict to your management CIDR or route SSH through a bastion host.

Assign to an instance

Navigate to Project → Compute → Instances, select the instance, then select Actions → Edit Security Groups. Add web-sg to the assigned list.
The rule takes effect immediately — no restart required.

Common Rules Reference

Use CaseDirectionProtocolPortRemote
HTTP web trafficIngressTCP800.0.0.0/0
HTTPS web trafficIngressTCP4430.0.0.0/0
SSH accessIngressTCP22Management CIDR
ICMP pingIngressICMPAny0.0.0.0/0
MySQL / MariaDBIngressTCP3306App tier CIDR
PostgreSQLIngressTCP5432App tier CIDR
RedisIngressTCP6379App tier CIDR
Custom UDP serviceIngressUDP11940.0.0.0/0
All outboundEgressAnyAny0.0.0.0/0

Source Security Group Rules

Rules can reference another security group as the remote source instead of a CIDR. This allows traffic from any instance assigned the referenced group, regardless of IP.
Allow traffic from app tier security group
openstack security group rule create db-sg \
  --protocol tcp \
  --dst-port 5432 \
  --ingress \
  --remote-group app-sg
Security group references are more maintainable than CIDR-based rules in dynamic environments — you add or remove instances from the source group rather than updating IP ranges in rules.

Manage Rules and Groups

Remove a Rule

List rules in a group
openstack security group rule list web-sg
Delete a specific rule
openstack security group rule delete <rule-id>

Remove a Security Group from an Instance

Remove security group from instance
openstack server remove security group my-instance web-sg

Delete a Security Group

Delete security group
openstack security group delete web-sg
Deleting a security group that is still assigned to instances will fail. Remove all instance assignments before deleting the group.

Next Steps

Floating IP Addresses

Associate public IPs with instances — ensure your security group allows inbound traffic first

Security Hardening

Administrator guide for port security, anti-spoofing, and default group hardening

Network Troubleshooting

Diagnose security group and connectivity issues

Create a Network

Set up the network your secured instances attach to