Security Groups

A security group is a stateful firewall attached to instances and load balancers. Rules allow inbound (and optionally outbound) traffic; anything not explicitly allowed is denied.

Create rules

Under Network → Security Groups, create a group and add rules. Each rule specifies:

Direction — ingress (inbound) or egress (outbound).
Protocol — TCP, UDP, or ICMP.
Port range — e.g. 22, 80, 443, or a range.
Source / destination — a CIDR (e.g. 0.0.0.0/0 for anywhere) or another security group.

Because groups are stateful, return traffic for an allowed connection is permitted automatically — you don't need a matching reverse rule.

bash

fm network security-group create --name web --vpc my-vpc
fm network security-group rule add web --direction ingress \
  --protocol tcp --port 443 --cidr 0.0.0.0/0

Good practice

Open only the ports you need; prefer narrow source CIDRs over 0.0.0.0/0.
Restrict SSH (port 22) to known administrative addresses.
Reference one group from another to model tiers (e.g. allow the web group to reach the db group on the database port).

Security Groups ​

Create rules ​

Good practice ​

Related ​

Security Groups

Create rules

Good practice

Related