Kvindo™ Cloud Docs
A Security Group is a virtual firewall — an ordered set of ingress (inbound) and egress (outbound) rules. Attach it to a VM (spec.securityGroupIds on the VM) to control which traffic reaches and leaves the resource.
• Ingress rules — permit inbound traffic by port(s) and source CIDR(s)
• Egress rules — permit outbound traffic by port(s) and destination CIDR(s)
• Ports — protocol:port entries. Protocol is tcp, udp, icmp, or an alias — http, https, ssh, bgp (→ tcp), rdp, ipsec (→ tcp+udp) — e.g. tcp:22, https:443, a range tcp:1000-2000, or a protocol's full range tcp:all. A port is required except for the bare, portless forms icmp and all (which alone also covers tcp+udp+icmp); note all:22-23 covers tcp+udp only on that range, not icmp
• IPv4 blocks — CIDRs, or one of three lowercase macros (see table below); macros and literal CIDRs can be mixed in the same array, e.g. ["local", "18.31.33.11"]
• Default action — traffic not matching any rule is dropped by default (spec.defaultAction omitted or "deny"); set spec.defaultAction: "allow" to flip to a blacklist model where unmatched traffic is allowed and only explicit deny rules block it
• Live updates — rule changes take effect immediately on every attached resource
| Macro | Expands to |
|---|---|
all | 0.0.0.0/0 — matches any address |
local | Private/internal ranges — RFC1918 (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) plus loopback (127.0.0.0/8) and link-local (169.254.0.0/16) |
external | Complement of local — public internet address space only |
Macros are lowercase-only and case-sensitive — "ALL" is treated as a literal (invalid) CIDR, not the macro, and fails validation.
| UI Name | API / kc name | Terraform name | Optional | Format | Default | Is read only | Description |
|---|---|---|---|---|---|---|---|
| Ingress rules | spec.ingress |
spec.ingress |
Yes | list of rule objects | [] |
No | Inbound rules |
| Ports | spec.ingress[].ports |
spec.ingress[].ports |
— | list of string — protocol:port |
— | No | Protocol is tcp, udp, icmp, or an alias such as https, ssh, rdp; e.g. tcp:22, https:443, tcp:1000-2000, tcp:all, or bare icmp / all (no port) |
| IPv4 blocks | spec.ingress[].ipv4Blocks |
spec.ingress[].ipv4_blocks |
— | list of string — CIDR or macro (all/local/external) |
— | No | Source CIDRs, or one of the macros all, local, external (lowercase only); macros and literal CIDRs may be mixed in the same array |
| Action | spec.ingress[].action |
spec.ingress[].action |
— | string | — | No | allow or deny — no server-side default, set it on every rule |
| Egress rules | spec.egress |
spec.egress |
Yes | list of rule objects | [] |
No | Outbound rules (same shape as ingress: spec.egress[].ports, spec.egress[].ipv4Blocks, spec.egress[].action) |
| Default action | spec.defaultAction |
spec.default_action |
Yes | string — allow or deny |
deny |
No | Action applied to traffic that matches no rule; omit for today's default-deny behavior, or set to allow to flip to a blacklist model where only explicit deny rules block traffic |
An app-server security group: inbound SSH admin access and HTTPS from anywhere, ICMP ping allowed only from the internal network; outbound SMTP restricted to an internal mail relay and blocked to the public internet directly (avoids spam blacklisting), with all other outbound traffic allowed.
Terraform
Python SDK
kc CLI
To switch to blacklist mode (allow by default, deny only what's listed), add default_action = "allow" to the spec block above (or defaultAction: allow / "defaultAction": "allow" for kc/Python) — nothing else in the example changes.
Examples
More in this section