Managing security groups using using the OpenStack terminal client

Creating a security group

To create a security group using the OpenStack terminal client, follow these steps:

  • Run this command: openstack security group create --description [DESCRIPTION] [NAME]

Note

The new security group will not have any rules so wont actually do anything. To add rules, follow next step.

Adding rules to a security group

To add rules to a security group using the OpenStack terminal client, follow these steps:

  • Running the following command will give you a detailed overview of what options are available for creating a rule: openstack security group rule create -h

  • Define the rule. More info in our Designing security group rules article. By using the help output from above, you are able to match your rule to the needed parameters.

  • An example command to create a security rule that allows SSH using the terminal. Replace the items in angle brackets with corresponding data.

openstack security group rule create \
 --protocol tcp \
 --dst-port 22 \
 --ingress \
 --remote-ip [X.X.X.X/Y] \
 --description [DESCRIPTION] \
 [NAME]

Note

For ease of use, we recommend using the already defined rules. These are project specific so you can also tweak them as you see fit.

Adding a security group to an instance

To add a security group to an instance using the OpenStack terminal client, follow these steps:

  • Run this command: openstack server add security group [INSTANCE NAME] [GROUP NAME], replace the items within angle brackets with corresponding data.

  • To show what security groups are currently attached to an instance, run this command: openstack server show --column security_groups [INSTANCE NAME], replace the items within angle brackets with corresponding data.

Address groups

There is a feature to setup address groups in OpenStack. Address groups enable you to setup a collection of IPs and IP-ranges that you can then use to apply to your groups. The benefit of this, is that you could re-use them in many rules and would not have to maintain several lists of (the same) addresses. Address groups are only available via the terminal client, below is how to work with them:

  • To create a group, run this command: openstack address group create [NAME]

  • To add addresses to the group, run openstack address group set --address [x.x.x.x/y] [NAME]. Address could be both a range or a single address.

  • To use the address group in a rule, use the --remote-address-group [NAME] option.

Note

If you instead choose to press “Edit Port Security Groups” (in step 2 above) you are able to set security groups on a per interface (port) basis instead. This might be useful if you have several networks connected to your instance (which we don’t recommend) and want to have different settings on them.

Note

Remember: you need to add your groups to all instances, all rules are evaluated in a per instance fashion.

See also