Only tenant administrators can create Security Groups

Exposing certain ports to the Internet at ECMWF

If running at ECMWF, please note that the Centre's external firewall, which sits on top of the cloud security groups, only allows a small set of ports for ingress traffic for security reasons. Those include the standard ports for SSH, HTTP or HTTPS. You may not be able to expose an arbitrary port to the Internet even if it is allowed in a security group. Please consider using a load balancer or reverse proxy running on standard ports when exposing those services externally.

In order to create security groups, navigate through Infrastructure > Network, and select the Security Groups from the tab. Click on the +Add button to create a security group.

After that, the Security group window will appear. In order to create a security group, we need to define a name and set the scope as our cloud.

After the successful creation, the new security group will be visible in the Security groups tab.

Creating a rule

After creating the group, we need to add the rules to our security group. In order to do that, first we need to select the group we are interested in the Security groups tab. Then click on Add Rule.

The process of creating a rule is presented on the example of the allowing connection via ssh.

  • Name - enter the name of the new rule,

  • Direction - select the ingress option,

  • Rule type - select the Custom Rule option,

  • Protocol - TCP,

  • Port range - enter value 22, because ssh is listening on this port,

  • Secure type - select the network option,

  • Source - enter value 0.0.0.0/0, allows from any address,

  • Destination type - instance.

Press the Save changes button to create a new rule.

After that, the new rule should be visible in the Rules section.