Security Groups

Security groups act as virtual firewalls that control inbound and outbound traffic for your instances. Each security group contains a set of rules that filter traffic by protocol, port, and source/destination.

Command: ace security-group Alias: ace sg

Create a Security Group

ace sg create --name <name> [flags]

Flags

Flag

Required

Description

--name

Yes

Security group name

--description

Description (max 255 characters)

Example

ace sg create --name web-sg --description "Web server security group"

Sample Output

Security group created.
  ID:              a1b2c3d4-e5f6-7890-abcd-ef1234567890
  Name:            web-sg

List Security Groups

ace sg list

Alias: ace sg ls

Sample Output

ID                                     NAME                      RULES  DESCRIPTION
a1b2c3d4-e5f6-7890-abcd-ef1234567890  web-sg                        3  Web server security group
b2c3d4e5-f6a7-8901-bcde-f12345678901  default                       4  Default security group

Get Security Group Details

View a security group and all its rules.

ace sg get <sg-id>

Aliases: ace sg show, ace sg describe

Sample Output

ID:                a1b2c3d4-e5f6-7890-abcd-ef1234567890
Name:              web-sg
Description:       Web server security group
Total Rules:       3

RULE ID                                DIRECTION  PROTOCOL   PORTS          REMOTE               ETHERTYPE
c3d4e5f6-a7b8-9012-cdef-234567890abc  ingress    SSH        22             0.0.0.0/0            IPv4
d4e5f6a7-b8c9-0123-def0-456789abcdef  ingress    HTTP       80             0.0.0.0/0            IPv4
e5f6a7b8-c9d0-1234-ef01-56789abcdef0  egress     All        All            0.0.0.0/0            IPv4

Update a Security Group

ace sg update <sg-id> [flags]

Flags

Flag

Required

Description

--name

New security group name

--description

New description

At least one of --name or --description must be specified.

Example

ace sg update a1b2c3d4-e5f6-7890-abcd-ef1234567890 \
  --name web-sg-v2 \
  --description "Updated web security group"

Security group updated.
  ID:              a1b2c3d4-e5f6-7890-abcd-ef1234567890
  Name:            web-sg-v2

Delete Security Groups

ace sg delete <sg-id> [sg-id...]

Alias: ace sg rm

A security group cannot be deleted while it is assigned to active instances. Remove the security group from all instances first.

Example

ace sg delete a1b2c3d4-e5f6-7890-abcd-ef1234567890

Deleted 1 security group(s).

Rule Management

Add a Rule

Add a firewall rule to a security group.

ace sg rule-add --sg <sg-id> [flags]

Flags

Flag

Required

Default

Description

--sg

Yes

Security group ID

--protocol

tcp

Protocol (see table below)

--direction

ingress

Rule direction: ingress or egress

--port

Port or port range (e.g. 22, 8000-9000)

--remote

0.0.0.0/0

Remote IP CIDR

--ethertype

IPv4

Ethertype: IPv4 or IPv6

--description

Rule description

Shortcut Protocols

These shortcuts auto-set the correct port number, so you do not need to specify --port:

Shortcut

Protocol

Port

ssh

TCP

http

TCP

https

TCP

443

rdp

TCP

3389

mysql

TCP

3306

dns

UDP

You can also use the raw protocol names: tcp, udp, icmp, any.

Examples

Allow SSH from anywhere:

ace sg rule-add --sg <sg-id> --protocol ssh

Allow HTTP from anywhere:

ace sg rule-add --sg <sg-id> --protocol http

Allow HTTPS from anywhere:

ace sg rule-add --sg <sg-id> --protocol https

Allow a custom TCP port:

ace sg rule-add --sg <sg-id> --protocol tcp --port 3000

Allow a port range:

ace sg rule-add --sg <sg-id> --protocol tcp --port 8000-9000

Allow ICMP (ping):

ace sg rule-add --sg <sg-id> --protocol icmp

Allow traffic only from a specific CIDR:

ace sg rule-add --sg <sg-id> --protocol tcp --port 5432 --remote 10.0.0.0/24

Allow all outbound traffic:

ace sg rule-add --sg <sg-id> --direction egress --protocol any

Sample Output

Security group rule added.
  Rule ID:         c3d4e5f6-a7b8-9012-cdef-234567890abc
  Direction:       Inbound
  Protocol:        SSH
  Ports:           22

Delete Rules

Delete one or more rules by rule ID.

ace sg rule-delete <rule-id> [rule-id...]

Example

ace sg rule-delete c3d4e5f6-a7b8-9012-cdef-234567890abc

Deleted 1 security group rule(s).

Common Patterns

Web Server Security Group

# Create the group
ace sg create --name web-sg

# Allow SSH, HTTP, and HTTPS
ace sg rule-add --sg <sg-id> --protocol ssh
ace sg rule-add --sg <sg-id> --protocol http
ace sg rule-add --sg <sg-id> --protocol https

Database Security Group (Private Access Only)

# Create the group
ace sg create --name db-sg

# Allow PostgreSQL only from the app subnet
ace sg rule-add --sg <sg-id> --protocol tcp --port 5432 --remote 10.0.1.0/24

# Allow MySQL only from the app subnet
ace sg rule-add --sg <sg-id> --protocol tcp --port 3306 --remote 10.0.1.0/24

Command Summary

Command

Description

ace sg create

Create a security group

ace sg list

List all security groups

ace sg get <id>

Get security group details and rules

ace sg update <id>

Update security group name or description

ace sg delete <id>

Delete security group(s)

ace sg rule-add

Add a firewall rule

ace sg rule-delete <id>

Delete firewall rule(s)

PreviousRouters NextFloating IPs

Last updated 1 month ago