Concepts

Concept

STACKIT Security Groups function as virtual firewalls that control network traffic to and from your server instances. They act as a protective layer at the network interface level, allowing you to define granular rules that specify which traffic is permitted to reach your servers (ingress) and which traffic your servers can send out (egress).

General

Security Groups provide a flexible and reusable way to manage network security across your STACKIT infrastructure. When you create a Security Group, you define a set of rules that control traffic based on IP protocols, ports, and IP addresses. These groups can be applied to network interfaces on multiple server instances simultaneously, making it easy to maintain consistent security policies across your environment.

Key characteristics of Security Groups:

• Reusability: A single Security Group can be attached to multiple Network Interfaces (NICs), allowing you to apply the same security policy to many servers at once.
• Dynamic Updates: When you modify a Security Group’s rules, the changes automatically apply to all attached Network Interfaces immediately.
• Stateful Operation: Security Groups can be stateful, meaning that if you allow outbound traffic, the response traffic is automatically allowed regardless of inbound rules.
• Multiple Protocol Support: Configure rules for both IPv4 and IPv6 traffic, supporting various protocols including TCP, UDP, and ICMP.

Security rules

Security Group rules define which traffic is allowed or denied. Each rule specifies:

• Direction: Whether the rule applies to incoming traffic (ingress) or outgoing traffic (egress)
• IP Protocol: The network protocol (TCP, UDP, ICMP, or any protocol)
• Port Range: The specific port or range of ports affected by the rule (for TCP/UDP)
• Source/Destination: IP addresses or CIDR blocks that the rule applies to

Default behavior

When you create a new Security Group, it includes a default security policy:

• Egress (Outbound): All outgoing traffic is allowed by default
• Ingress (Inbound): All incoming traffic is blocked by default, with one important exception—traffic from instances within the same Security Group is allowed

The default deny-all ingress policy ensures that your servers remain protected until you explicitly allow specific traffic. This “deny by default” approach prevents accidental exposure of services to the internet and helps maintain a strong security posture.

Ingress rules

Ingress rules control incoming traffic to your servers. You must explicitly create ingress rules to allow:

• External access to your applications (e.g., HTTP/HTTPS traffic on ports 80/443)
• Management access (e.g., SSH on port 22 or RDP on port 3389)
• Custom application traffic on specific ports
• Traffic from specific IP addresses or ranges

Egress rules

Egress rules control outgoing traffic from your servers. By default there is a rule that allows all egress traffic. You can create restrictive egress rules to:

• Limit outbound connections to specific destinations
• Control which protocols and ports your servers can use for outbound communication
• Implement security policies that restrict data exfiltration

Rule evaluation

Security Groups evaluate traffic based on all configured rules:

• If any rule explicitly allows the traffic, it is permitted
• If no rule allows the traffic, it is denied (default deny)
• Rules are evaluated simultaneously, not in a specific order

Integration with Network Interfaces

Security Groups are applied to server instances through Network Interfaces (NICs). Each NIC can have multiple Security Groups attached, and the rules from all attached Security Groups are combined:

• You can attach multiple Security Groups to a single NIC
• All rules from attached Security Groups are aggregated and applied
• If one Security Group allows traffic and another doesn’t mention it, the traffic is allowed (permissive approach)

To use Security Groups with a Network Interface, NIC Security must be enabled. This is the default setting when creating a new NIC.