Kvindo™ Cloud Docs


Language

Security Group

A Security Group is a virtual firewall — an ordered set of ingress (inbound) and egress (outbound) rules. Attach it to a VM (spec.securityGroupIds on the VM) to control which traffic reaches and leaves the resource.

Key concepts

Ingress rules — permit inbound traffic by port(s) and source CIDR(s)

Egress rules — permit outbound traffic by port(s) and destination CIDR(s)

Portsprotocol:port entries. Protocol is tcp, udp, icmp, or an alias — http, https, ssh, bgp (→ tcp), rdp, ipsec (→ tcp+udp) — e.g. tcp:22, https:443, a range tcp:1000-2000, or a protocol's full range tcp:all. A port is required except for the bare, portless forms icmp and all (which alone also covers tcp+udp+icmp); note all:22-23 covers tcp+udp only on that range, not icmp

IPv4 blocks — CIDRs, or one of three lowercase macros (see table below); macros and literal CIDRs can be mixed in the same array, e.g. ["local", "18.31.33.11"]

Default action — traffic not matching any rule is dropped by default (spec.defaultAction omitted or "deny"); set spec.defaultAction: "allow" to flip to a blacklist model where unmatched traffic is allowed and only explicit deny rules block it

Live updates — rule changes take effect immediately on every attached resource

Macro Expands to
all0.0.0.0/0 — matches any address
localPrivate/internal ranges — RFC1918 (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) plus loopback (127.0.0.0/8) and link-local (169.254.0.0/16)
externalComplement of local — public internet address space only

Macros are lowercase-only and case-sensitive — "ALL" is treated as a literal (invalid) CIDR, not the macro, and fails validation.

Parameters
UI Name API / kc name Terraform name Optional Format Default Is read only Description
Ingress rules spec.ingress spec.ingress Yes list of rule objects [] No Inbound rules
Ports spec.ingress[].ports spec.ingress[].ports list of string — protocol:port No Protocol is tcp, udp, icmp, or an alias such as https, ssh, rdp; e.g. tcp:22, https:443, tcp:1000-2000, tcp:all, or bare icmp / all (no port)
IPv4 blocks spec.ingress[].ipv4Blocks spec.ingress[].ipv4_blocks list of string — CIDR or macro (all/local/external) No Source CIDRs, or one of the macros all, local, external (lowercase only); macros and literal CIDRs may be mixed in the same array
Action spec.ingress[].action spec.ingress[].action string No allow or deny — no server-side default, set it on every rule
Egress rules spec.egress spec.egress Yes list of rule objects [] No Outbound rules (same shape as ingress: spec.egress[].ports, spec.egress[].ipv4Blocks, spec.egress[].action)
Default action spec.defaultAction spec.default_action Yes string — allow or deny deny No Action applied to traffic that matches no rule; omit for today's default-deny behavior, or set to allow to flip to a blacklist model where only explicit deny rules block traffic
Examples

An app-server security group: inbound SSH admin access and HTTPS from anywhere, ICMP ping allowed only from the internal network; outbound SMTP restricted to an internal mail relay and blocked to the public internet directly (avoids spam blacklisting), with all other outbound traffic allowed.

Terraform

Python SDK

kc CLI

To switch to blacklist mode (allow by default, deny only what's listed), add default_action = "allow" to the spec block above (or defaultAction: allow / "defaultAction": "allow" for kc/Python) — nothing else in the example changes.


Related pages

Examples

More in this section

An unhandled error has occurred. Reload 🗙