Skip to main content
IMHCloud Logo
Back to glossary

Security Group

A security group is a set of firewall rules that controls which network traffic can reach or leave your cloud resources. It permits or denies connections based on protocol, port, and IP address.

Networking

What is a Security Group in cloud hosting?

A security group is a set of firewall rules that controls which network traffic can reach or leave your cloud resources. It acts as a virtual barrier that permits or denies connections based on protocol, port, and IP address.

Each rule in a security group specifies a direction (inbound or outbound), a protocol (such as TCP or UDP), a port number or range, and a source or destination address. When traffic arrives at or departs from a resource, the security group checks whether any rule permits that traffic. If no rule matches, the traffic is blocked.

Security groups attach directly to instances (virtual machines). Unlike traditional firewalls that sit at the edge of a network, security groups travel with the resource they protect. If you move an instance to a different subnet, its security group rules follow it.

Why Security Groups exist

Without security groups, every cloud resource would be exposed to all network traffic by default. Any system on the internet could attempt to connect to any port on your instances. Attackers could scan for open services, exploit vulnerabilities, and access sensitive data.

Security groups solve this problem by requiring explicit permission for each type of network connection. You must define which traffic is acceptable before it can reach your resources. This default-deny approach means that forgetting to configure a rule results in blocked traffic rather than exposed services.

Security groups make it possible to:

  • Isolate resources from each other within the same cloud environment
  • Restrict administrative access to specific IP addresses
  • Allow only the minimum necessary connections for applications to function

What Do Security Groups Actually Do?

  • Evaluates every packet of network traffic against its rules before allowing or denying passage
  • Maintains separate rule sets for inbound (ingress) and outbound (egress) traffic
  • Tracks connection state, so return traffic from an allowed outbound connection is automatically permitted without a separate inbound rule
  • Applies rules immediately when attached to an instance without requiring a reboot
  • Allows multiple security groups on a single instance, with rules from all groups combined
  • Permits the same security group on multiple instances for consistent policy enforcement
  • Accepts other security groups as traffic sources, enabling rules like "permit connections from any instance in security group X"

When would I use a Security Group?

You would use a security group whenever you deploy a cloud resource that communicates over a network. Common scenarios include:

  • Restricting administrative access: Allow SSH or RDP connections only from your office IP addresses or VPN, blocking access from everywhere else
  • Protecting web servers: Allow web traffic on ports 80 and 443 while blocking all other inbound connections
  • Securing databases: Permit your application servers to connect to a database on port 5432 while preventing direct internet access to the database
  • Enabling application clustering: Allow instances within the same application tier to communicate with each other for clustering or load balancing
  • Separating environments: Create separate security groups for development, staging, and production to prevent cross-environment traffic

When would I NOT use a Security Group?

Security groups control traffic at the instance level, not at the network edge. They are not the right tool for certain tasks:

  • Traffic logging: Security groups only permit or deny packets. They do not record details about blocked connections for compliance or audit purposes.
  • Packet inspection: Security groups operate on IP addresses, protocols, and ports only. They cannot inspect packet contents for malware or application-layer attacks.
  • Cross-VPC traffic control: Traffic between different VPCs or external networks requires network access control lists (ACLs) or firewall appliances, not security groups.
  • Non-instance traffic: Security groups do not filter traffic that does not flow through instance network interfaces, such as traffic between services over a shared bus or API gateway.

Security groups add latency measured in microseconds, which is negligible for most applications. However, if you have thousands of rules in a single security group, rule evaluation can slow down. Restructure large rule sets into smaller, focused security groups to maintain performance.

Real-world example

Company A runs an e-commerce platform with three tiers: a load balancer, application servers, and a database server. They create three security groups:

Load Balancer Security Group: Allows inbound TCP traffic on ports 80 and 443 from any IP address (0.0.0.0/0). Customers anywhere on the internet can access the website.

Application Server Security Group: Allows inbound traffic only from instances in the Load Balancer Security Group on port 8080. Application servers receive requests only through the load balancer, not directly from the internet.

Database Security Group: Allows inbound traffic only from instances in the Application Server Security Group on port 5432 (PostgreSQL). No system can connect to the database except the application tier.

When Company A deploys a new application server, they attach the Application Server Security Group. The instance immediately inherits all the correct firewall rules. When they decommission an application server, removing it from the security group instantly revokes its access to the database.

Frequently Asked Questions

Do I need more than one security group? Yes, most environments benefit from multiple security groups. Creating separate groups for different resource types (web servers, application servers, databases) or different access patterns (administrative access, application traffic) makes rules easier to manage and audit. Start with separate groups for each tier of your application.

Does creating a security group affect existing resources? No. Creating a security group has no effect until you attach it to an instance. Existing instances continue using their current security groups unchanged. You must explicitly attach the new security group to an instance for its rules to apply.

What happens if I delete a security group? You cannot delete a security group that is attached to any instance. First remove the security group from all instances, then delete it. If you need to remove all security groups from an instance, attach a different security group first to maintain network connectivity.

Can I change security group rules without downtime? Yes. Rule changes take effect immediately without requiring instance restarts or connection drops. Existing established connections that were permitted under the old rules typically continue. New connections are evaluated against the updated rules.

How do security groups differ from network ACLs? Security groups are stateful and attach to instances. Return traffic from an allowed connection is automatically permitted. Network ACLs are stateless and attach to subnets. You must create rules for both directions. Security groups filter traffic per instance. Network ACLs filter traffic entering or leaving an entire subnet.

Summary

  • A security group is a set of firewall rules that permits or denies network traffic to and from cloud resources based on protocol, port, and IP address
  • Security groups are stateful: return traffic from an allowed connection is automatically permitted
  • They attach to instances and follow the resource wherever it moves within the cloud environment
  • Rules from multiple security groups on the same instance are combined, and rules can reference other security groups as sources
  • Security groups enforce a default-deny policy, blocking all traffic unless explicitly permitted by a rule

Related terms

  • Instance: An instance is a virtual server you launch in the cloud, such as a compute resource with its own CPU, memory, and network interface that runs your applications.
  • Virtual Private Cloud (VPC): A VPC is an isolated network environment where you deploy cloud resources, such as a private network segment with its own IP address range and routing rules.
  • Network: A network is a logical grouping of connected resources that can communicate with each other, such as a set of instances that share the same subnet and can exchange traffic.

Related Terms

Read definition

Multi-Tenancy

Multi-tenancy is a cloud architecture where multiple customers share the same physical infrastructure while remaining logically isolated from each other, enabling efficient resource utilization and cost sharing.

Infrastructure
Learn more
Read definition

Project

A project is an isolated resource container in OpenStack that groups users, instances, networks, storage, and other cloud resources under a single administrative boundary with defined quotas and access controls.

Infrastructure
Learn more