# Security Groups

Security groups act as virtual firewalls that control inbound and outbound traffic for your instances. Each security group contains a set of rules that filter traffic by protocol, port, and source/destination.

**Command:** `ace security-group` **Alias:** `ace sg`

## Create a Security Group

```bash
ace sg create --name <name> [flags]
```

### Flags

| Flag            | Required | Description                      |
| --------------- | -------- | -------------------------------- |
| `--name`        | Yes      | Security group name              |
| `--description` | No       | Description (max 255 characters) |

### Example

```bash
ace sg create --name web-sg --description "Web server security group"
```

### Sample Output

```
Security group created.
  ID:              a1b2c3d4-e5f6-7890-abcd-ef1234567890
  Name:            web-sg
```

***

## List Security Groups

```bash
ace sg list
```

**Alias:** `ace sg ls`

### Sample Output

```
ID                                     NAME                      RULES  DESCRIPTION
a1b2c3d4-e5f6-7890-abcd-ef1234567890  web-sg                        3  Web server security group
b2c3d4e5-f6a7-8901-bcde-f12345678901  default                       4  Default security group
```

***

## Get Security Group Details

View a security group and all its rules.

```bash
ace sg get <sg-id>
```

**Aliases:** `ace sg show`, `ace sg describe`

### Sample Output

```
ID:                a1b2c3d4-e5f6-7890-abcd-ef1234567890
Name:              web-sg
Description:       Web server security group
Total Rules:       3

RULE ID                                DIRECTION  PROTOCOL   PORTS          REMOTE               ETHERTYPE
c3d4e5f6-a7b8-9012-cdef-234567890abc  ingress    SSH        22             0.0.0.0/0            IPv4
d4e5f6a7-b8c9-0123-def0-456789abcdef  ingress    HTTP       80             0.0.0.0/0            IPv4
e5f6a7b8-c9d0-1234-ef01-56789abcdef0  egress     All        All            0.0.0.0/0            IPv4
```

***

## Update a Security Group

```bash
ace sg update <sg-id> [flags]
```

### Flags

| Flag            | Required | Description             |
| --------------- | -------- | ----------------------- |
| `--name`        | No       | New security group name |
| `--description` | No       | New description         |

At least one of `--name` or `--description` must be specified.

### Example

```bash
ace sg update a1b2c3d4-e5f6-7890-abcd-ef1234567890 \
  --name web-sg-v2 \
  --description "Updated web security group"
```

```
Security group updated.
  ID:              a1b2c3d4-e5f6-7890-abcd-ef1234567890
  Name:            web-sg-v2
```

***

## Delete Security Groups

```bash
ace sg delete <sg-id> [sg-id...]
```

**Alias:** `ace sg rm`

A security group cannot be deleted while it is assigned to active instances. Remove the security group from all instances first.

### Example

```bash
ace sg delete a1b2c3d4-e5f6-7890-abcd-ef1234567890
```

```
Deleted 1 security group(s).
```

***

## Rule Management

### Add a Rule

Add a firewall rule to a security group.

```bash
ace sg rule-add --sg <sg-id> [flags]
```

#### Flags

| Flag            | Required | Default     | Description                                 |
| --------------- | -------- | ----------- | ------------------------------------------- |
| `--sg`          | Yes      |             | Security group ID                           |
| `--protocol`    | No       | `tcp`       | Protocol (see table below)                  |
| `--direction`   | No       | `ingress`   | Rule direction: `ingress` or `egress`       |
| `--port`        | No       |             | Port or port range (e.g. `22`, `8000-9000`) |
| `--remote`      | No       | `0.0.0.0/0` | Remote IP CIDR                              |
| `--ethertype`   | No       | `IPv4`      | Ethertype: `IPv4` or `IPv6`                 |
| `--description` | No       |             | Rule description                            |

#### Shortcut Protocols

These shortcuts auto-set the correct port number, so you do not need to specify `--port`:

| Shortcut | Protocol | Port |
| -------- | -------- | ---- |
| `ssh`    | TCP      | 22   |
| `http`   | TCP      | 80   |
| `https`  | TCP      | 443  |
| `rdp`    | TCP      | 3389 |
| `mysql`  | TCP      | 3306 |
| `dns`    | UDP      | 53   |

You can also use the raw protocol names: `tcp`, `udp`, `icmp`, `any`.

#### Examples

Allow SSH from anywhere:

```bash
ace sg rule-add --sg <sg-id> --protocol ssh
```

Allow HTTP from anywhere:

```bash
ace sg rule-add --sg <sg-id> --protocol http
```

Allow HTTPS from anywhere:

```bash
ace sg rule-add --sg <sg-id> --protocol https
```

Allow a custom TCP port:

```bash
ace sg rule-add --sg <sg-id> --protocol tcp --port 3000
```

Allow a port range:

```bash
ace sg rule-add --sg <sg-id> --protocol tcp --port 8000-9000
```

Allow ICMP (ping):

```bash
ace sg rule-add --sg <sg-id> --protocol icmp
```

Allow traffic only from a specific CIDR:

```bash
ace sg rule-add --sg <sg-id> --protocol tcp --port 5432 --remote 10.0.0.0/24
```

Allow all outbound traffic:

```bash
ace sg rule-add --sg <sg-id> --direction egress --protocol any
```

#### Sample Output

```
Security group rule added.
  Rule ID:         c3d4e5f6-a7b8-9012-cdef-234567890abc
  Direction:       Inbound
  Protocol:        SSH
  Ports:           22
```

### Delete Rules

Delete one or more rules by rule ID.

```bash
ace sg rule-delete <rule-id> [rule-id...]
```

#### Example

```bash
ace sg rule-delete c3d4e5f6-a7b8-9012-cdef-234567890abc
```

```
Deleted 1 security group rule(s).
```

***

## Common Patterns

### Web Server Security Group

```bash
# Create the group
ace sg create --name web-sg

# Allow SSH, HTTP, and HTTPS
ace sg rule-add --sg <sg-id> --protocol ssh
ace sg rule-add --sg <sg-id> --protocol http
ace sg rule-add --sg <sg-id> --protocol https
```

### Database Security Group (Private Access Only)

```bash
# Create the group
ace sg create --name db-sg

# Allow PostgreSQL only from the app subnet
ace sg rule-add --sg <sg-id> --protocol tcp --port 5432 --remote 10.0.1.0/24

# Allow MySQL only from the app subnet
ace sg rule-add --sg <sg-id> --protocol tcp --port 3306 --remote 10.0.1.0/24
```

***

## Command Summary

| Command                   | Description                               |
| ------------------------- | ----------------------------------------- |
| `ace sg create`           | Create a security group                   |
| `ace sg list`             | List all security groups                  |
| `ace sg get <id>`         | Get security group details and rules      |
| `ace sg update <id>`      | Update security group name or description |
| `ace sg delete <id>`      | Delete security group(s)                  |
| `ace sg rule-add`         | Add a firewall rule                       |
| `ace sg rule-delete <id>` | Delete firewall rule(s)                   |


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.acecloud.ai/knowledge-base/cli/networking/security-groups.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.