# Security Groups
A **Security Group** defines inbound and outbound traffic rules for resources like VMs.
* Acts like a virtual firewall
* Attached at a VPC level but to a VM
In the same analogy of VPC to a neighborhood, assume that you are putting a security guard in front of your houses (VMs in this case) who decides who goes into the house or can come out of the house; that’s exactly a security group. The simplest use of security groups is to enable inbound and outbound traffic through ports (Port 22, 8080, etc).
Please note that Port 22 or SSH protocol should be enabled if you want to SSH into the VMs
***
#### Creating a Security Group
1. Navigate to **Networking > Security Groups**
2. Click **"Create Security Group"**
3. Fill in:
* Name
* Description
* VPC (required)
* Define Inbound Rules:
* Protocol
* Port Range
* Based on the selected protocols, the standard defined port ranges will be auto-selected
* You can skip the protocol and just mention the port ranges
* All port ranges should be mentioned in comma comma-separated list. E.g.; 22, 80, 8080, 1205-1250
* You can define as many ports as you want, unless a protocol is selected.
Follow the principle of least privilege:
* Only open required ports
* Restrict access to known IP ranges
* Avoid broad port ranges unless necessary
* Remote IP Prefix
`⚠️ Warning:`
Allowing 0.0.0.0/0 exposes your resource to the public internet.\
Avoid opening sensitive ports like SSH (22) unless restricted to specific IPs.
* Define Outbound Rules (similar)
* If no inbound rules are defined, all inbound traffic is denied by default.
4. Click **"Create Security Group":**
**Example** (Secure SSH access):
* Protocol: TCP
* Port: 22
* Source: Your IP (e.g., 203.0.113.5/32)
Example (Web server):
* HTTP: 80 from 0.0.0.0/0
* HTTPS: 443 from 0.0.0.0/0
* SSH: restricted to admin IP only
***
#### Editing a Security Group
1. Click the **three-dot menu > Edit**
2. Name and VPC are not editable
3. All other fields (description, rules) can be changed
4. You can define new rules or edit existing rules or delete existing rules
5. Save changes
***
#### Deleting a Security Group
1. Click the **three-dot menu > Delete**
2. Confirm deletion in the pop-up
3. Upon confirmation, SG is deleted
***
#### Billing and Pricing
All Security groups are free and would not be chargeable.
***
### Protocols & Standard Port Ranges
| **Protocol** | **Port(s)** | **Direction** | **Use Case** |
| ------------------------ | ------------------------------- | ---------------- | --------------------------------------------------------------------------------------------------------- |
| **All** | `0-65535` | Inbound/Outbound | Allows all traffic. Use with caution. |
| **TCP** | `0-65535` (customizable) | Inbound/Outbound | Reliable communication (used by HTTP, SSH, RDP, etc.) |
| **UDP** | `0-65535` (customizable) | Inbound/Outbound | Fast, connectionless (used by DNS, NTP, video/audio streaming) |
| **DNS** | `UDP 53` / `TCP 53` | Both | Domain name resolution |
| **HTTP** | `TCP 80` | Inbound | Unencrypted web traffic |
| **HTTPS** | `TCP 443` | Inbound | Encrypted web traffic |
| **ICMP** | N/A (uses Type/Code) | Both | Used for ping, traceroute |
| **FTP** | `TCP 20 (data)`, `21 (control)` | Inbound | File transfer protocol |
| **SSH** | `TCP 22` | Inbound | Secure shell remote login |
| **IMAP** | `TCP 143` | Inbound | Email retrieval |
| **IMAPS** | `TCP 993` | Inbound | Secure email retrieval |
| **LDAP** | `TCP 389` | Inbound | Directory services |
| **MSSQL** | `TCP 1433` | Inbound | Microsoft SQL Server |
| **MYSQL** | `TCP 3306` | Inbound | MySQL database |
| **POP3** | `TCP 110` | Inbound | Email retrieval (older protocol) |
| **POP3S** | `TCP 995` | Inbound | Secure version of POP3 |
| **RDP** | `TCP 3389` | Inbound | Remote Desktop Protocol (Windows) |
| **SMTP (plain)** | `TCP 25` | Inbound/Outbound | Legacy email sending. Often blocked by ISPs and prone to abuse (spam). Avoid using in production. |
| **SMTPS (implicit TLS)** | `TCP 465` | Inbound | Legacy secure SMTP over TLS. Still supported by some providers but not recommended as the primary option. |
| **SMTPS Submission** | `TCP 587` | Inbound/Outbound | Recommended port for sending email using STARTTLS (secure and widely supported). |
* **All**: Opens all ports/protocols – best avoided unless debugging in a secure environment.
* **ICMP**: Doesn’t use ports. Controlled by ICMP types like Echo Request (type 8), Echo Reply (type 0).
* **Custom Rules**: You can specify any protocol and port range manually using TCP/UDP.
* Ports above `1024` are generally considered **ephemeral** or for custom application use.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.cloud.olakrutrim.com/basics/core-infrastructure/networking/security-groups.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.