Security Groups in Thalassa Cloud VPCs
A Security Group is a virtual firewall that controls inbound and outbound network traffic for resources within a Virtual Private Cloud (VPC) in Thalassa Cloud. Security groups allow users to define access rules that govern traffic flow at the instance level, ensuring fine-grained security controls for workloads deployed in the cloud.
Security Group Capabilities
| Capability | Description |
|---|---|
| Inbound and Outbound Rules | Users can define rules for both incoming and outgoing traffic, controlling access to instances. |
| Instance-Level Security | Security groups apply directly to Virtual Machines (VMs), enforcing access restrictions at the resource level. |
| Stateful Filtering | Traffic is stateful, meaning that return traffic is automatically allowed when an outbound rule is configured. |
| Multiple Security Groups per Instance | A single VM can be assigned multiple security groups, allowing flexible and layered security policies. |
| Fine-Grained Rule Control | Rules can be configured based on protocol, port range, and source/destination IPs or CIDR blocks. |
| VPC-Level Enforcement | Security groups apply at the VPC level, ensuring isolation between workloads deployed in different network segments. |
Security Group Behavior and Constraints
Inbound and Outbound Rules
Security groups define both inbound (ingress) and outbound (egress) rules. Inbound rules control what traffic is allowed to reach an instance, while outbound rules determine what external destinations the instance can communicate with.
- If no inbound rules are defined, all inbound traffic is denied by default.
- If no outbound rules are defined, all outbound traffic is allowed by default.
- Return traffic is automatically allowed if an outbound connection has been initiated (stateful behavior).
Instance-Level Security
Security groups apply to Virtual Machines (VMs) and other resources within a VPC. When a security group is attached to a VM, only traffic that matches the defined rules is permitted, enhancing security at the workload level.
Multiple Security Groups per Instance
A single instance can belong to multiple security groups. When multiple security groups are assigned, their rules are aggregated—allowing any traffic that matches at least one of the defined rules.
Rule Configuration
Security group rules consist of the following components:
- Protocol: Defines whether the rule applies to TCP, UDP, or ICMP.
- Port Range: Specifies the allowed port or range of ports for traffic.
- Source/Destination: Determines the allowed IP addresses, CIDR blocks, or other security groups.
Stateful Traffic Management
Security groups use stateful filtering, meaning that responses to allowed outbound traffic are automatically permitted, without requiring additional inbound rules. This simplifies rule configuration and reduces unnecessary complexity.
Security Group Scope
Security groups operate within a VPC and cannot be shared between different VPCs. If communication is required between VMs in different VPCs, explicit rules must be created, or a VPC Peering connection must be established.
Summary
Security Groups in Thalassa Cloud provide instance-level network security by controlling inbound and outbound traffic at the VM level. With support for stateful filtering, multiple security groups per instance, and fine-grained access controls, security groups offer a flexible and robust approach to network access control.
By implementing security groups effectively, users can ensure that only authorized traffic reaches their workloads while maintaining strict isolation between different network environments. For advanced configurations, security groups can be combined with Firewall Rules to achieve even greater control over network traffic.