IBM Cloud Docs
Updating a VPC's default security group rules

Updating a VPC's default security group rules

The default security group is similar to any other security group, with the exception that it cannot be deleted.

Each VPC has a default security group, with rules to allow:

  • Inbound traffic from all members of the group (that is, all other resources that are attached to this security group)
  • All outbound traffic

You can modify the rules of the default security group by using the UI, CLI, or API.

If you edit the rules of the default security group, those edited rules then apply to all current and future servers in the group.

Inbound rules to allow pinging and SSH are not automatically added to the default security group.

Updating the default security group in the UI

  1. From your browser, open the IBM Cloud console.

  2. Select the Navigation Menu Menu icon, then click Infrastructure > Network > Security groups.

  3. In the Security groups list, click the name of the default security group that you want to update.

  4. On the default security group's details page, click the Rules tab.

  5. Modify the rules as necessary:

    • To edit a rule, click the Actions menu Actions menu, click Edit, make your changes, then click Save.
    • To delete a rule, click the Actions menu Actions menu, click Delete, then click Delete again.
    • To create a rule, click the Create button.

    For each rule, specify the following information:

    • Select the protocols and ports to which the rule applies.
    • Specify a CIDR block or IP address for the permitted traffic. Alternatively, you can specify a security group in the same VPC to allow traffic to or from all instances that are attached to the selected security group.

    Tips:

    • All rules are evaluated, regardless of the order in which they're added.
    • Rules are stateful, which means that return traffic in response to allowed traffic is automatically permitted. For example, you created a rule that allows inbound TCP traffic on port 80. That rule also allows replying outbound TCP traffic on port 80 back to the originating host, without the need for another rule.
    • For Windows images, make sure that the security group that is associated with the instance allows inbound and outbound Remote Desktop Protocol traffic (TCP port 3389).
  6. Optional: To view interfaces that are attached to the security group, click the Attached resources tab and review the Attached interfaces section.

  7. When you finish creating rules, click the Security groups breadcrumb at the top of the page to return to your list of Security groups for VPC.

Updating the default security group from the CLI

Complete the following steps to update the default security group by using the CLI:

  1. Log in to IBM Cloud® Virtual Private Cloud.

    If you have a federated account:

    ibmcloud login -sso
    

    Otherwise, use this command:

    ibmcloud login
    
  2. Get the default security group ID and details for the VPC.

    Run the following command to list all VPCs:

    ibmcloud is vpcs
    

    The default security group name is shown under the column Default Security Group. Note the name of it so that you can find the ID when you list the security groups (next).

    Now list all the security groups:

    ibmcloud is security-groups
    

    Save the security group ID (for the default security group) in a variable so that you can use it later. For example, use the variable name sg:

    sg=0738-2d364f0a-a870-42c3-a554-000001162469
    

    To get details about the security group, run the following command:

    ibmcloud is security-group GROUP
    

    For example, run the following command to get details about the security group with the security group ID you saved as a variable:

    ibmcloud is security-group $sg
    

    Alternatively, you can insert the actual ID value in place of the variable $sg.

  3. Update the default security group to add rules that allow SSH and PING.

    Disabling SSH connections prohibits the license registration for RedHat Enterprise Linux. This can result in provisioning failures.

    To add rules in your default security group, run the following command:

    ibmcloud is security-group-rule-add GROUP DIRECTION PROTOCOL [--port-min PORT_MIN] [--port-max PORT_MAX]
    ibmcloud is security-group-rule-add GROUP DIRECTION PROTOCOL [--icmp-type ICMP_TYPE [--icmp-code ICMP_CODE]]
    

    For example, run the following command to add rules that allow SSH and PING rules to the security group with the ID you set as your variable:

    ibmcloud is security-group-rule-add $sg inbound tcp --port-min 22 --port-max 22
    ibmcloud is security-group-rule-add $sg inbound icmp --icmp-type 8 --icmp-code 0
    

Adding and removing security group rules is an asynchronous operation. It usually takes 1 - 30 seconds for the change to go into effect.

Updating the default security group with the API

Complete the following steps to update the default security group by using the API:

  1. Set up your API environment with the correct variables.

  2. Get the default security group ID and details for the VPC.

    Run the following command to list all VPCs:

    curl -sX GET -H "Authorization:$iam_token" "$vpc_api_endpoint/v1/vpcs?generation=2&version=2022-09-13"
    

    The default security group details are shown in the output following default_security_group. Note the name of the default security group so that you can find the id when you list the security groups (next). Note the default security group id, and save it in a variable so that you can use it later. For example, use the variable name id:

    "sg" = "r006-a937009e-5da5-4e7b-9072-d44e1095327b"
    
  3. Update the default security group to add rules that allow SSH and PING.

Disabling SSH connections prohibits the license registration for RedHat Enterprise Linux. This can result in provisioning failures.

Run the following two commands to add default security group rules that allow SSH and PING for the security group with the security group id you set as the variable sg:

curl -sX POST  -H "Authorization:$iam_token" "$vpc_api_endpoint/v1/security_groups/$sg/rules?generation=2&version=$api_version"  -d '{"direction":"inbound","protocol":"tcp","port_min":22, "port_max":22}'
curl -sX POST  -H "Authorization:$iam_token" "$vpc_api_endpoint/v1/security_groups/$sg/rules?generation=2&version=$api_version"  -d '{"direction":"inbound","protocol":"icmp","code":0, "type":9}'

Adding and removing security group rules is an asynchronous operation. It usually takes 1 - 30 seconds for the change to go into effect.