Help:Security groups

Wikimedia Labs documentationThis is a documentation page for Wikimedia Labs. If you can improve it, please do that. You can also request help on #wikimedia-labs connect. For all documentation pages, please see the List of all documentation pages for labs. If you are seeking a help with a specific project, please contact the project owners.

A security group is a set of firewall rules that can be applied to instances. Each instance should belong to one or more security groups; If an instance is not a member of any security group, it will be entirely isolated from the outside world and most likely useless.

Every project has a 'default' security group that provides access to ssh and Nagios (which is used for status monitoring.) Unless you are doing something very unusual, you will want every instance to be a member of the default group.

If you are planning to run other network services on your instances (e.g. it's a web server, so http), you will need to create an additional custom security group and add it to your instance. In order to manage security groups you need to be a projectadmin.

Important: Consider your security scheme before you create an instance, you cannot remove or add security groups to an instance once it has been created.

You must be a projectadmin in order to create, add or modify security groups.

1. In the left menu, open the “Labs Projectadmins” section.
2. Click on “Manage Security Groups”.
3. For the project you want to work on, make sure it, and the server region, e.g., pmtpa, are toggled open. You’ll see a list of available security groups.
4. Click on the “add group” link.
5. Enter a new security group name, e.g., “web”.
6. Enter a description ( optional, but possibly helpful, e.g., firewall rules for web access ).
7. Click on the “Submit” button.
   once the group has been created it will be available in the “Add Instance” form under the “Manage Instances” section.

Each security group consist of one or more rules. You can define rules for a single port or a range of ports, for various IP addresses. You must be a projectadmin in order to create, add or modify security group rules. The form sections “Individual rules” and “Group rules” are separate form sections and pertain to different concepts.

Individual rule

Allows you to create a single rule for a group.

1. Once you’re on the Special:NovaSecurityGroup page, click on the action link “add rule” next to the security group you want to modify.
2. From port - Number of start port (if you define port 2 as beginning and port 60 as end you create a range for ports 2-60).
3. To port - Number of end port.
4. Protocol - (icmp/tcp/udp).
5. CIDR range - range of ip addresses you want to allow this for. Required for an individual rule. If you wish to open the rule to everywhere, use "0.0.0.0/0", if you only want to open it to labs, use "10.4.0.0/21".
6. Do not select anything in the source group field
7. Click on the “Submit” button.

Group rule

Allows you to add a set of group rules to another group, e.g., assume you have a security group called "web" that has specific rules for web access and another group called “admin” that has specific admin rules. If your create an instance that only has the security groups, default and admin then you can have admin inherit the web rules by adding the web group to the admin group.

1. Once you’re on the Special:NovaSecurityGroup page, click on the action link “add rule” next to the security group you want to modify.
2. Select a set of group rules you want to add to this group.

• Groups - A set of security groups to which you wish to grant all access. For instance, if you had a security group called "web" in the project "testlabs", if you add that to a security group rule "web" in project "bots", then every instance in the "web" security group in project "testlabs" will have full access to the instances in the "web" security group in project "bots".

Here's a simple security group that allows web access:

Here's one that allows an instance to act as a sendmail server, but only for one other machine:

Important: If you know what services you need access to but don't know what ports to open, there's a comprehensive list of standard ports here.