Security Group Management in Horizon¶
Security groups can be thought of like firewalls. They ultimately control inbound and outbound traffic to your virtual machines. Under the CLI and Horizon, access defaults to all outbound allowed and NO inbound allowed.
To allow access to your VM for things like SSH, you will need to create a security group and add rules to it.
Naming and reusing security groups
You can reuse a security group many times, so a best practice is to create groups by related services. For instance, you might create a basic group for ssh and icmp (which is what we will show as an example) and then a separate security group for http and https access if you’re running a web service on your instance.
Creating Security Groups and Rules¶
This will walk you through creating a basic security group in Horizon and adding a couple of simple access rules.
- Login to the Horizon dashboard and make sure you’ve selected the correct allocation. Select the
Networktab on the sidebar and click
- Once you’re on the security group page, you’ll need to click the
Create Security Groupbutton (noted with a red arrow on the screenshot).
- In the popup box that comes up, you’ll give your new security group a name (we suggest something like my-username-ssh-and-icmp) and optional description. We recommend giving a meaningful name and noting in the description what your intended purpose is.
- When the creation is successful, it will bring you back to the security group page and note the success in the corner with a green status message. You’ll see your new group name at the top where it says Manage Security Group Rules: your-rule-name.You’ll then want to click
Add Rule(noted with a red arrow on the screenshot).
- This will bring up a new dialog box where you can select the parameters for your security group rule.
- If you click the
Ruledropdown at the top, you’ll see a list of common rule types as well as the option for custom rules. For this example, we’ll select
SSHto allow inbound port 22/SSH access.
- We’ll fill in the other details needed. We do recommend putting in a description with what the rule does so it’s easy to see at a glance. We’ll also select CIDR as the remote type and then set 0.0.0.0/0 as the CIDR. This allows all traffic to the SSH port. You can make that be a single IP or a specific CIDR block. In general, limiting access to specific CIDR blocks or IPs is best.
For example, you could specify 184.108.40.206/22 to limit connections to only Jetstream2 VMs at the TACC regional location.
- When the creation is successful, it will bring you back to the security group page and note the success in the corner with a green status message. You’ll see your new rule now on the page.
- You’ll need to click the
Add Rulebutton a second time and we’ll create a second rule for All ICMP. This will allow things like incoming ping to check the status of your virtual machine. You’ll select
CIDR, and set the CIDR to 0.0.0.0/0 to allow all hosts to ping your virtual machine.
- As before, when the creation is successful, it will bring you back to the security group page and note the success in the corner with a green status message. You’ll see your new rule now on the page.
You can then add additional rules or additional security groups. This will allow the most basic of access to your VMs.
We do recommend limiting access as much as possible for best security practices.