A security group acts as a virtual firewall for servers and other resources on a network.
It is a container for security group rules which specify the network access rules for ingress and egress traffic.
The following pre-defined security groups are made available for each project:
- "default" : the default security group on the system
- "ssh" : it allows ssh ingress traffic via the port 22
- "ssh-https" : it allows ssh and http(s) ingress traffic via the port 22, 80, 443 and 6443
Exposing certain ports to the Internet at ECMWF
If running at ECMWF, please note that the Centre's external firewall, which sits on top of the cloud security groups, only allows a small set of ports for ingress traffic for security reasons. Those include the standard ports for SSH, HTTP or HTTPS. You may not be able to expose an arbitrary port to the Internet even if it is allowed in a security group. Please consider using a load balancer or reverse proxy running on standard ports when exposing those services externally.
Guides