Skip to main content
A security group is a set of stateful firewall rules that control inbound and outbound traffic to your resources. Security groups are tied to a VPC and can be reused across all resources in that VPC. You need at least one security group before creating an instance. By default, all traffic is denied — you must explicitly add rules to allow it.
Prerequisite: You need an existing VPC network before creating a security group.

Summary

This page explains how to create and manage security groups in the Nscale Console UI. Use this workflow if you:
  • Need to control which traffic can reach your instances and clusters
  • Want to define reusable firewall rules within a VPC
  • Are setting up networking before creating instances (a security group is required)

Availability

This feature is available for On-demand and Reserved cloud services.

Requirements

  • A VPC network to associate the security group with
  • Permission and sufficient quota to create security groups
Default behaviour: With no rules defined, all inbound and outbound traffic is denied. You must add rules to allow the traffic your workloads need.

Key Concepts

  • Inbound rules control traffic coming into your resources (e.g., SSH connections from your IP)
  • Outbound rules control traffic going out from your resources (e.g., internet access for package downloads)
  • Stateful: If you allow an inbound connection, the return traffic is automatically allowed (and vice versa)

CIDR Notation

Security group rules use CIDR notation to specify IP ranges:
0.0.0.0/0 = all IP addresses (open to the internet). 10.0.1.0/24 = a specific subnet (256 addresses). 203.0.113.50/32 = a single IP address.

Protocol Reference

ProtocolWhen to Use
TCPMost common — used for SSH (port 22), HTTP (80), HTTPS (443), and application traffic
UDPUsed for DNS (port 53), some streaming/gaming protocols
AnyAllows all protocols — use with caution
VRRPVirtual Router Redundancy Protocol — used for high-availability failover. Most users don’t need this; use TCP/UDP/Any instead

Common Rule Examples

Use CaseDirectionProtocolPort RangeSource/Destination CIDR
Allow SSH accessInboundTCP220.0.0.0/0 or your IP (x.x.x.x/32)
Allow HTTP trafficInboundTCP800.0.0.0/0
Allow HTTPS trafficInboundTCP4430.0.0.0/0
Allow all outboundOutboundAnyAll0.0.0.0/0

Security Group Lifecycle

ActionDetails
CreateProvide a name, select a VPC, add an optional description, and define rules
Edit rulesAdd, modify, or remove individual rules at any time
DeleteRemove the security group when it is no longer needed
You cannot delete a security group that is currently attached to active resources (instances, clusters). Detach or delete the associated resources first.

Step-by-step

Create a security group

  1. In the Console left navigation, go to Network → Security Groups
  2. Click the + New button in the top-right corner
  3. A side panel opens with the creation form:
    • Name: Enter a name for the security group
    • VPC: Select the VPC this security group will belong to
    • Description (optional): Add a description (up to 200 characters)
  4. Click Add Rules to define your firewall rules:
    • Choose Inbound or Outbound
    • Select the Protocol (TCP, UDP, Any, or VRRP)
    • Enter the Port Range (e.g., 22 for SSH, 80 for HTTP, or 1-65535 for all ports)
    • Enter the CIDR block (e.g., 0.0.0.0/0 for all IPs)
    • Add as many rules as needed
  5. Click Create to save the security group

Managing security groups

To edit an existing security group:
  1. Go to Network → Security Groups and select the security group
  2. Add, modify, or remove rules as needed
  3. Save your changes
To delete a security group:
  1. Ensure no resources are attached to it
  2. Go to Network → Security Groups, select the security group, and delete it

Common Issues / Troubleshooting

  • Symptom: Can’t delete a security group. Likely cause: The security group is attached to one or more active resources (instances, clusters). Fix: Remove or delete the associated resources, then try deleting the security group again.
  • Symptom: Instance is unreachable via SSH. Likely cause: No inbound rule for SSH (TCP port 22) in the instance’s security group. Fix: Go to Network → Security Groups, select the security group attached to the instance, and add an inbound rule for TCP port 22 from your IP or 0.0.0.0/0.
  • Symptom: Instance can’t download packages or reach the internet. Likely cause: No outbound rules defined. By default, all outbound traffic is denied. Fix: Add an outbound rule allowing the required protocols and ports (or allow all outbound with protocol Any to 0.0.0.0/0).

VPC Networks

Create the VPC your security group belongs to

Instances

Attach security groups when creating instances

Terraform Provider

Manage security groups as infrastructure as code

API Reference

Manage security groups programmatically via the Networking and Storage API