Security Groups
Security groups are RESVRL's traffic-control layer for public-facing access. In practice, most users will touch security groups when a VM or Kubernetes gateway is connected to a Bridge network.
Security Groups
Security groups are RESVRL's traffic-control layer for public-facing access. In practice, most users will touch security groups when a VM or Kubernetes gateway is connected to a Bridge network.
When you need a security group
Use a security group when:
- A virtual machine is attached to a Bridge network.
- A new public network interface is added to a VM.
- A Kubernetes cluster gateway is enabled for external traffic.
If the workload uses only NAT networking, you may not need a public-facing security group at all.
Create a security group
- Open Security Group in the member console.
- Click Create Security Group.
- Select the target region or host machine group.
- Enter a name and optional description.
- Save the group.
- Add the rules required by your workload.
What a rule contains
RESVRL lets you configure rules with these core fields:
- Protocol: TCP, UDP, SCTP, IP, or All.
- Direction: inbound or outbound.
- Action: Accept or Drop.
- Optional IP scope and port range fields, depending on the selected protocol.
Common rule patterns
SSH administration
- Inbound TCP 22.
- Restrict source IPs to your office, VPN, or administrator addresses.
Web application
- Inbound TCP 80 and 443.
- Inbound TCP 22 only from administrator IP ranges.
Private service with outbound updates
- No public inbound rules.
- Outbound TCP 80 and 443 for package updates and API calls.
How to use groups safely
- Start from the smallest rule set possible.
- Avoid opening management ports to the entire internet.
- Create separate groups for different roles, such as web, database, and gateway.
- Review rules whenever a service is retired or moved.
Troubleshooting
The service is unreachable
Check whether the correct group is attached to the Bridge-facing interface and whether the required inbound protocol and port are allowed.
The VM cannot reach external services
Check outbound rules before changing the VM itself.
The cluster gateway is still blocked
Check both the security group and the gateway network selection from the cluster configuration.