8.9.2. Adding a Rule to a Security Group

⁠8.9.2. Adding a Rule to a Security Group

The nova command line interface provides facilities for adding rules to security groups.

Procedure 8.6. Adding a Rule to a Security Group using the Command Line Interface

Use the nova secgroup-list command to list the security groups that have been defined.
```
$ nova secgroup-list
+---------+-------------+
|   Name  | Description |
+---------+-------------+
| default | default     |
+---------+-------------+
```
On an installation where no security groups have been created yet only the default security group will be defined.
Use the nova secgroup-add-rule command to add a new rule to a security group. The syntax of the nova secgroup-add-rule command is:
```
$ nova secgroup-add-rule GROUP \
        PROTOCOL \
        FROM \
        TO \
        CIDR
```
The arguments that the nova secgroup-add-rule command expects represent:
- Replace GROUP with the identifier of the security group to add the rule to.
- Replace PROTOCOL with the IP protocol that the group applies to. Valid values are icmp, tcp, and udp.
- Replace FROM with the port that defines the start of the range of ports to allow network traffic on. Valid values are in the range -1 to 65535 for TCP and UDP, -1 to 255 for ICMP.
- Replace TO with the port that defines the end of the range of ports to allow network traffic on. Valid values are in the range -1 to 65535 for TCP and UDP, -1 to 255 for ICMP.
- Replace CIDR with the Classless Inter-Domain Routing (CIDR) notation defining the IP addresses to accept connections from. A value of 0.0.0.0/0 allows connections from any IP address.
Use the nova secgroup-list-rules command to verify that your new rule has been added to the selected security group.
```
$ nova secgroup-list-rules GROUP
```
Replace GROUP with the identifier of the security group that you added the rule to.

You have successfully added a rule to a security group using the command line interface. It is now possible to connect to instances that use the altered security group from the specified IP address block and using the specified ports and protocol.

⁠

Example 8.4. Adding a Security Rule to Allow SSH Connections

In this example a rule is added to the default security group to allow SSH access from machines in the IP address block 172.31.0.224/28.

$ nova secgroup-add-rule default tcp 22 22 172.31.0.224/28
+-------------+-----------+---------+-----------------+--------------+
| IP Protocol | From Port | To Port |     IP Range    | Source Group |
+-------------+-----------+---------+-----------------+--------------+
| tcp         | 22        | 22      | 172.31.0.224/28 |              |
+-------------+-----------+---------+-----------------+--------------+

Report a bug