# Create a Security Group

You can set your security group rules for your instances on zenConsole to improve the network security. The security group applies to public network access to your instances.

## Procedures

1. Go to **Security Group** > **Create Security Group**.
2. Select a a global VPC that the security group will be deployed on.
3. Configure the inbound and outbound rules

   <table><thead><tr><th width="148">Item</th><th>Description</th></tr></thead><tbody><tr><td>Priority</td><td>A smaller value indicates a higher priority.<br><strong>Valid values</strong>: 1 to 999.</td></tr><tr><td>Type</td><td><strong>Allow:</strong> allows access requests on a specific port.<br><strong>Deny:</strong> denies access requests on a specific port.</td></tr><tr><td>Protocol</td><td>The protocol type of the security group rule.<br><strong>Valid values</strong>: All/TCP/UDP/ICMP-IPv4/ICMP-IPv6</td></tr><tr><td>Port range</td><td>You can specify a port range when <strong>Protocol Type</strong> is set as <strong>TCP</strong> or <strong>UDP</strong>. The value ranges from 1 to 65535. You can specify single port numbers separated with a comma (for example, 80 indicating port 80; 20,30,40 indicating port 20, port 30, and port 40), or range of port numbers (for example, 4000-4200 indicating ports from 4000 to 4200). The value "All" cannot be set separately, indicating that the port is not restricted.</td></tr><tr><td>Source/<br>Destination</td><td>Configure the host IP addresses of source and destination.<br><strong>Example</strong>: 192.168.0.0/24. 0.0.0.0/0 or ::/0 indicates all IP addresses are allowed.</td></tr><tr><td>Actions</td><td>Delete the rule.</td></tr></tbody></table>
4. Label your security group.

### Commonly used port explanations are shown as follows:

<table><thead><tr><th width="140.33333333333331">Protocol</th><th width="80">Port</th><th>Description</th></tr></thead><tbody><tr><td>ICMP</td><td>-1/-1</td><td>The ICMP port. It is used to ping instances through the Internet for network management and debugging.</td></tr><tr><td>SSH</td><td>22</td><td>The SSH port. It is used to remote access to Linux instances.</td></tr><tr><td>Telnet</td><td>23</td><td>The Telnet port. It is used to log in to instances.</td></tr><tr><td>HTTP</td><td>80</td><td>The HTTP port. Use a VM instance as a Web server.</td></tr><tr><td>HTTPS</td><td>443</td><td>The HTTPS port. It is used to access web services. HTTPS protocol is encrypted and secured.</td></tr><tr><td>SQL Server</td><td>1433</td><td>The TCP port of SQL Server. It is used for MySQL to provide external services.</td></tr><tr><td>Oracle</td><td>1521</td><td>The Oracle communication port. If your instances run Oracle SQL, you need to open this port.</td></tr><tr><td>MySQL</td><td>3306</td><td>The MySQL port. It is used for MySQL to provide external services.</td></tr><tr><td>Windows Remote Desktop</td><td>3389</td><td>The Windows Server Remote Desktop Services (RDP) port. It is used to log in to Windows instances.</td></tr><tr><td>PostgreSQL</td><td>5432</td><td>The PostgreSQL port. It is for PostgreSQL to provide external services.</td></tr><tr><td>Redis</td><td>6379</td><td>The Redis port. It is used for Redis to provide external services.</td></tr></tbody></table>

<table><thead><tr><th width="88.33333333333331">Port</th><th width="139">Source IP</th><th>Description</th></tr></thead><tbody><tr><td>-1/-1</td><td>10.0.0.0/8</td><td>Allow access from private IP range <code>10.0.0.0/8</code> to all ports</td></tr><tr><td>-1/-1</td><td>172.16.0.0/12</td><td>Allow access from private IP range <code>172.16.0.0/12</code> to all ports</td></tr><tr><td>-1/-1</td><td>192.168.0.0/16</td><td>Allow access from private IP range <code>192.168.0.0/16</code> to all ports</td></tr></tbody></table>

### Typical applications of commonly used ports are shown as follows:

<table><thead><tr><th width="146">Scenario</th><th width="115">Rule direction</th><th width="141">Authorization policy</th><th width="102">Protocol type</th><th width="81">Port range</th><th width="140">Authorization type</th><th width="133">Authorization object</th><th>Priority</th></tr></thead><tbody><tr><td>Remote access to Linux instances through SSH</td><td>Inbound</td><td>Allow</td><td>SSH (22)</td><td>22/22</td><td>Address field access</td><td>0.0.0.0/0</td><td>1</td></tr><tr><td>Remote access to Windows instances through RDP</td><td>Inbound</td><td>Allow</td><td>RDP (3389)</td><td>3389/3389</td><td>Address field access</td><td>0.0.0.0/0</td><td>1</td></tr><tr><td>Ping VM instances through the Internet</td><td>Inbound</td><td>Allow</td><td>ICMP</td><td>-1/-1</td><td>Address field access or security group access</td><td>Set this parameter according to the authorization type</td><td>1</td></tr><tr><td>Use a VM instance as a Web server</td><td>Inbound</td><td>Allow</td><td>HTTP (80)</td><td>80/80</td><td>Address field access</td><td>0.0.0.0/0</td><td>1</td></tr><tr><td>Upload or download files through FTP</td><td>Inbound</td><td>Allow</td><td>Custom TCP</td><td>20/21</td><td>Address field access</td><td>0.0.0.0/0</td><td>1</td></tr></tbody></table>

{% hint style="info" %} <mark style="color:blue;">**Note**</mark>

<mark style="color:blue;">For security reasons, you're restricted to access to</mark> <mark style="color:blue;">**port 25**</mark> <mark style="color:blue;">for email transmission by default. If you require continued access to</mark> <mark style="color:blue;">**port 25**</mark><mark style="color:blue;">, you may submit a request to remove the restriction.</mark>
{% endhint %}

## More Actions

Go to **Security Group** > **Actions** to do the following actions.

* Edit\
  Change inbound and outbound rules.
* Associate Global VPC\
  Deploy the security group on instances in the selected global VPC.
* Delete

{% hint style="info" %} <mark style="color:blue;">**Note**</mark>

* <mark style="color:blue;">Dissociate all global VPCs first before deleting the security group.</mark>
* <mark style="color:blue;">Default security group cannot be deleted.</mark>
  {% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.console.zenlayer.com/welcome/elastic-compute/get-started/manage-network-security/create-a-security-group.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.