FAQ
We want to give our customers the information they need to get the most out of Security Groups. This FAQ section answers common questions. This helps you quickly find solutions and improve your experience. We encourage you to check these FAQ before contacting our support team, as you might find your answer here.
-
General information
What is the default behavior of Security Groups?
When you create a new Security Group, it includes a default security policy:
- Egress (Outbound): All outgoing traffic is allowed by default.
- Ingress (Inbound): All incoming traffic is blocked by default, with one exception—traffic from instances within the same Security Group is automatically allowed.
This “deny by default” approach ensures your servers remain protected until you explicitly allow specific traffic.
Can I attach multiple Security Groups to a single server?
Yes. You can attach multiple Security Groups to a single Network Interface (NIC), and the rules from all attached Security Groups are aggregated and applied together. If one Security Group allows traffic and another doesn’t mention it, the traffic is allowed (permissive approach).
How do I apply Security Groups to my servers?
Security Groups cannot be applied directly to servers. They must be attached to Network Interfaces (NICs), which are then associated with your server instances. To use Security Groups, NIC Security must be enabled on the Network Interface, which is the default setting when creating a new NIC.
Do changes to Security Group rules take effect immediately?
Yes. When you modify a Security Group’s rules, the changes automatically apply to all attached Network Interfaces immediately. This makes it easy to update security policies across multiple servers at once.
Can I reuse a Security Group across multiple servers?
Yes. A single Security Group can be attached to multiple Network Interfaces, allowing you to apply the same security policy to many servers simultaneously. This makes it easy to maintain consistent security policies across your environment.
What protocols are supported by Security Groups?
Security Groups support various protocols including TCP, UDP, ICMP, and custom protocols. You can configure rules for both IPv4 and IPv6 traffic.
Can I create "deny" rules in Security Groups?
No. Security Groups work on an allow-list basis with default deny behavior. You cannot create explicit deny rules. All traffic is blocked by default unless you create a rule that explicitly allows it.
How are Security Group rules evaluated?
Rules are evaluated simultaneously, not in a specific order. If any rule explicitly allows the traffic, it is permitted. If no rule allows the traffic, it is denied. More permissive rules take precedence when multiple Security Groups are attached to the same NIC.
Is there a charge for using Security Groups?
No. There is no additional charge for using Security Groups in STACKIT.
Do Security Groups support IPv6?
Yes. Security Groups support both IPv4 and IPv6 traffic. However, IPv4 and IPv6 rules are configured separately within the same Security Group.
What happens to traffic between servers in the same Security Group?
By default, servers within the same Security Group can communicate with each other freely. This exception to the default deny ingress policy allows internal communication between related services without requiring explicit rules.
Can I use Security Groups for tiered architecture?
Yes. Security Groups are ideal for implementing tiered architectures. You can create separate Security Groups for different tiers (web tier, application tier, database tier) and configure appropriate rules to control traffic flow between them.
What's the difference between Security Groups and NIC Security?
NIC Security is a feature that must be enabled on a Network Interface to use Security Groups. Think of NIC Security as the on/off switch, while Security Groups contain the actual firewall rules that control traffic.