Security Groups (Cloud Firewalls)

Security groups allow you to restrict network access to groups of virtual machines at the infrastructure level.

After creating a security group, you can add rules to the group to define allowed traffic patterns. Each rule specifies:

  • A traffic direction (incoming/outgoing)
  • Protocol (e.g. TCP)
  • Remote source/destination (either a network prefix like, or another security group)
  • For TCP/UDP protocols, you can also set a port range

Once the security group is configured, you can add virtual machines to the group:

  • Existing VMs: select the VM, open the Security Groups tab, and add the VM to the group.
  • New VMs: you can select the security group when provisioning a new VM.

Traffic to/from a VM will be authorized as long as the traffic matches a rule in any security group that the VM is a member of. Otherwise, the associated packets will be dropped.

Here's an example of a security group that allows all outgoing traffic, and allows web access from any remote host, and SSH only from a specific IP:

Web + Database Group Example

Here's an example where we'll use two security groups: one for our webservers, and one for our database servers.

In our example, we want the database servers to be reachable only from the webservers and from each other. To accomplish this, we'll set the remote source to another security group, instead of using a fixed network prefix. These rules only allow traffic from VMs that are members of the specified security group.

For our webservers, we'll reuse the security group from earlier:

And our database security group looks like this:

Sidenote: we could have also removed the "web->db" rule and simply added our webservers to both the web and database security groups. Then, traffic from our webservers to our database servers would be allowed under the "db->db" rule.