# Create a Security Group

You can set your security group rules for your instances on zenConsole to improve the network security. The security group applies to public network access to your instances.

## Procedures

1. Go to **Security Group** > **Create Security Group**.
2. Select a a global VPC that the security group will be deployed on.
3. Configure the inbound and outbound rules

   <table><thead><tr><th width="148">Item</th><th>Description</th></tr></thead><tbody><tr><td>Priority</td><td>A smaller value indicates a higher priority.<br><strong>Valid values</strong>: 1 to 999.</td></tr><tr><td>Type</td><td><strong>Allow:</strong> allows access requests on a specific port.<br><strong>Deny:</strong> denies access requests on a specific port.</td></tr><tr><td>Protocol</td><td>The protocol type of the security group rule.<br><strong>Valid values</strong>: All/TCP/UDP/ICMP-IPv4/ICMP-IPv6</td></tr><tr><td>Port range</td><td>You can specify a port range when <strong>Protocol Type</strong> is set as <strong>TCP</strong> or <strong>UDP</strong>. The value ranges from 1 to 65535. You can specify single port numbers separated with a comma (for example, 80 indicating port 80; 20,30,40 indicating port 20, port 30, and port 40), or range of port numbers (for example, 4000-4200 indicating ports from 4000 to 4200). The value "All" cannot be set separately, indicating that the port is not restricted.</td></tr><tr><td>Source/<br>Destination</td><td>Configure the host IP addresses of source and destination.<br><strong>Example</strong>: 192.168.0.0/24. 0.0.0.0/0 or ::/0 indicates all IP addresses are allowed.</td></tr><tr><td>Actions</td><td>Delete the rule.</td></tr></tbody></table>
4. Label your security group.

### Commonly used port explanations are shown as follows:

<table><thead><tr><th width="140.33333333333331">Protocol</th><th width="80">Port</th><th>Description</th></tr></thead><tbody><tr><td>ICMP</td><td>-1/-1</td><td>The ICMP port. It is used to ping instances through the Internet for network management and debugging.</td></tr><tr><td>SSH</td><td>22</td><td>The SSH port. It is used to remote access to Linux instances.</td></tr><tr><td>Telnet</td><td>23</td><td>The Telnet port. It is used to log in to instances.</td></tr><tr><td>HTTP</td><td>80</td><td>The HTTP port. Use a VM instance as a Web server.</td></tr><tr><td>HTTPS</td><td>443</td><td>The HTTPS port. It is used to access web services. HTTPS protocol is encrypted and secured.</td></tr><tr><td>SQL Server</td><td>1433</td><td>The TCP port of SQL Server. It is used for MySQL to provide external services.</td></tr><tr><td>Oracle</td><td>1521</td><td>The Oracle communication port. If your instances run Oracle SQL, you need to open this port.</td></tr><tr><td>MySQL</td><td>3306</td><td>The MySQL port. It is used for MySQL to provide external services.</td></tr><tr><td>Windows Remote Desktop</td><td>3389</td><td>The Windows Server Remote Desktop Services (RDP) port. It is used to log in to Windows instances.</td></tr><tr><td>PostgreSQL</td><td>5432</td><td>The PostgreSQL port. It is for PostgreSQL to provide external services.</td></tr><tr><td>Redis</td><td>6379</td><td>The Redis port. It is used for Redis to provide external services.</td></tr></tbody></table>

<table><thead><tr><th width="88.33333333333331">Port</th><th width="139">Source IP</th><th>Description</th></tr></thead><tbody><tr><td>-1/-1</td><td>10.0.0.0/8</td><td>Allow access from private IP range <code>10.0.0.0/8</code> to all ports</td></tr><tr><td>-1/-1</td><td>172.16.0.0/12</td><td>Allow access from private IP range <code>172.16.0.0/12</code> to all ports</td></tr><tr><td>-1/-1</td><td>192.168.0.0/16</td><td>Allow access from private IP range <code>192.168.0.0/16</code> to all ports</td></tr></tbody></table>

### Typical applications of commonly used ports are shown as follows:

<table><thead><tr><th width="146">Scenario</th><th width="115">Rule direction</th><th width="141">Authorization policy</th><th width="102">Protocol type</th><th width="81">Port range</th><th width="140">Authorization type</th><th width="133">Authorization object</th><th>Priority</th></tr></thead><tbody><tr><td>Remote access to Linux instances through SSH</td><td>Inbound</td><td>Allow</td><td>SSH (22)</td><td>22/22</td><td>Address field access</td><td>0.0.0.0/0</td><td>1</td></tr><tr><td>Remote access to Windows instances through RDP</td><td>Inbound</td><td>Allow</td><td>RDP (3389)</td><td>3389/3389</td><td>Address field access</td><td>0.0.0.0/0</td><td>1</td></tr><tr><td>Ping VM instances through the Internet</td><td>Inbound</td><td>Allow</td><td>ICMP</td><td>-1/-1</td><td>Address field access or security group access</td><td>Set this parameter according to the authorization type</td><td>1</td></tr><tr><td>Use a VM instance as a Web server</td><td>Inbound</td><td>Allow</td><td>HTTP (80)</td><td>80/80</td><td>Address field access</td><td>0.0.0.0/0</td><td>1</td></tr><tr><td>Upload or download files through FTP</td><td>Inbound</td><td>Allow</td><td>Custom TCP</td><td>20/21</td><td>Address field access</td><td>0.0.0.0/0</td><td>1</td></tr></tbody></table>

{% hint style="info" %} <mark style="color:blue;">**Note**</mark>

<mark style="color:blue;">For security reasons, you're restricted to access to</mark> <mark style="color:blue;">**port 25**</mark> <mark style="color:blue;">for email transmission by default. If you require continued access to</mark> <mark style="color:blue;">**port 25**</mark><mark style="color:blue;">, you may submit a request to remove the restriction.</mark>
{% endhint %}

## More Actions

Go to **Security Group** > **Actions** to do the following actions.

* Edit\
  Change inbound and outbound rules.
* Associate Global VPC\
  Deploy the security group on instances in the selected global VPC.
* Delete

{% hint style="info" %} <mark style="color:blue;">**Note**</mark>

* <mark style="color:blue;">Dissociate all global VPCs first before deleting the security group.</mark>
* <mark style="color:blue;">Default security group cannot be deleted.</mark>
  {% endhint %}