CLI Client: Security Groups

This page describes how to use the Openstack CLI client to manage security groups.

List Security Groups

openstack security group list

List all security groups in your project.

Create a Security Group

openstack security group create <new-group-name>

Create a new security group in your project with the specified security group name.

Options:

  • --description <group-description>: additional security group descriptions

Delete a Security Group

openstack security group delete <group-name-or-id>

Delete the specified security group.

Manage Security Group

Show Details about Your Security Group

openstack security group show <group-name-or-id>

Display information, including rules, on the specified security group.

Edit Details about Your Security Group

openstack security group set --name <new-name> <group-name-or-id>
openstack security group set --description <new-description> <group-name-or-id>

Modify attributes of the security group.

Options:

  • --name: Name of the security group
  • --descrption: Description of the security group

Manage Security Group Rules

The following commands manages access rules for the security group.

List Security Group Rules

openstack security group rule list <group-name-or-id>

List all access rules for the specified security group, including the UUID of the rule (which you will need to show or delete the rule).

The following filters are available:

  • --protocol <protocol>
  • --ingress
  • --egress

Show a Security Group Rule

openstack security group rule show <rule-id>

Display information on the specified security group rule. You can find the rules UUID using the openstack security group rule list command.

Add a Security Group Rule

openstack security group rule create <group-name-or-id>

Create a new security group rule. The following options are available:

  • --remote-ip <ip-address> or --remote-group <group-name-or-id>: These 2 options are mutually exclusive and specify if the new rule applies to remote hosts by their IP addresses or their security group
    • --remote-ip: The new security group rule applies to remote hosts in a certain IP range (CIDR notation).
    • --remote-group: The new security group rule applies to hosts in the sepcified security group.
  • --description <rule-descriptions>: additional rule descriptions
  • --protocol <protocol>: tcp, udp, icmp, etc.
  • --ingress or --egress: These 2 options are mutually exclusive and specify if the new security group rule applies to inbound or outbound traffic. Default is ingress if neither option is specified.
  • --dst-port <port-range>
    • For TCP and UDP, choose the port ranges for this rule.

Examples:

  • Allow inbound ssh connections from IP address 128.84.40.10: openstack security group rule create --remote-ip 128.84.40.10/32 --protocol tcp --dst-port 22 <security-group-name>

  • Allow all instances in the same security group to connect on ports 50000-51000/tcp: openstack security group rule create --remote-group <security-group-name> --protocol tcp --dest-port 50000:51000 <security-group-name>

Delete a Security Group Rule

openstack security group rule delete <rule-id>

Delete the specified security group rule.