Security Groups in Thalassa Cloud VPCs
A Security Group is a virtual firewall that controls inbound and outbound network traffic for resources within a Virtual Private Cloud (VPC) in Thalassa Cloud. Security groups provide stateful filtering at the resource level, allowing you to define granular access rules that govern traffic flow for compute instances, load balancers, NAT gateways, and managed services.
Security groups are essential for implementing defense-in-depth security strategies and ensuring that only authorized traffic reaches your cloud resources.
Security Group Capabilities
| Capability | Description |
|---|---|
| Inbound and Outbound Rules | Users can define rules for both incoming and outgoing traffic, controlling access to instances. |
| Resource-Level Security | Security groups apply to Virtual Machines (VMs), Load Balancers, NAT Gateways, and managed services, enforcing access restrictions at the resource level. |
| Stateful Filtering | Traffic is stateful, meaning that return traffic is automatically allowed when an outbound rule is configured. |
| Multiple Security Groups per Resource | A single resource can be assigned multiple security groups, allowing flexible and layered security policies. |
| Fine-Grained Rule Control | Rules can be configured based on protocol, port range, and source/destination IPs or CIDR blocks. |
| VPC-Level Enforcement | Security groups apply at the VPC level, ensuring isolation between workloads deployed in different network segments. |
Security Group Behavior and Constraints
Inbound and Outbound Rules
Security groups define both inbound (ingress) and outbound (egress) rules. Inbound rules control what traffic is allowed to reach an instance, while outbound rules determine what external destinations the instance can communicate with.
- If no inbound rules are defined, all inbound traffic is denied by default.
- If no outbound rules are defined, all outbound traffic is denied by default.
- Return traffic is automatically allowed if an outbound connection has been initiated (stateful behavior).
Resource-Level Security
Security groups apply to various cloud resources within a VPC, including:
- Virtual Machines (VMs): Control access to compute instances
- Load Balancers: Manage traffic flow to and from load balancer endpoints
- NAT Gateways: Control outbound traffic from private subnets
- Managed Services: Secure access to DBaaS instances, Kubernetes control planes, and node pools
- Other Cloud Endpoints: Protect various cloud service endpoints
When a security group is attached to a resource, only traffic that matches the defined rules is permitted, enhancing security at the resource level.
Multiple Security Groups per Resource
A single resource can belong to multiple security groups. When multiple security groups are assigned, their rules are aggregated—allowing any traffic that matches at least one of the defined rules. This enables layered security policies and flexible access control.
Rule Configuration
Security group rules consist of the following components:
- Protocol: Defines whether the rule applies to TCP, UDP, or ICMP.
- Port Range: Specifies the allowed port or range of ports for traffic.
- Source/Destination: Determines the allowed IP addresses, CIDR blocks, or other security groups.
Stateful Traffic Management
Security groups use stateful filtering, meaning that responses to allowed outbound traffic are automatically permitted, without requiring additional inbound rules. This simplifies rule configuration and reduces unnecessary complexity.
Security Group Scope
Security groups operate within a VPC and cannot be shared between different VPCs. If communication is required between resources in different VPCs, explicit rules must be created, or a VPC Peering connection must be established.
Supported Resource Types
Security groups can be attached to the following resource types in Thalassa Cloud:
- Compute Resources: Virtual Machines and their network interfaces
- Load Balancers: Public and private load balancer endpoints
- NAT Gateways: Network Address Translation gateways for private subnet internet access
- Managed Database Services: DBaaS instances and clusters
- Kubernetes Resources: Control plane endpoints and node pool network interfaces
- Other Managed Services: Various cloud service endpoints and APIs
Summary
Security Groups in Thalassa Cloud provide resource-level network security by controlling inbound and outbound traffic for compute instances, load balancers, NAT gateways, and managed services. With support for stateful filtering, multiple security groups per resource, and fine-grained access controls, security groups offer a flexible and robust approach to network access control.
By implementing security groups effectively, you can ensure that only authorized traffic reaches your cloud resources while maintaining strict isolation between different network environments. Security groups are a fundamental component of cloud security architecture and should be used in conjunction with other security measures such as Firewall Rules and network segmentation to achieve comprehensive protection.
For detailed implementation guidance, see our Working with Security Groups guide.