Skip to main content
To set up a firewall for your Compute virtual machines (VMs), you can create security groups with security rules that control ingress and egress traffic at the packet level, and then assign the security groups to the VMs’ network interfaces.

Prerequisites

  1. Install and configure the Nebius AI Cloud CLI.
  2. Make sure you are in a group that has at least the editor role within your tenant; for example, the default editors group. You can check this in the Administration → IAM section of the web console.
  3. Get the ID of the network where you want to manage security groups and security rules.

Creating security groups

To create a security group, run nebius vpc security-group create: 
nebius vpc security-group create \
  --name <name> \
  --network-id <network_ID>
The command contains the following parameters:
  • --name: Name of the security group.
  • --network-id: ID of the network for the security group. You can only assign a security group to VMs within this network. For instructions, see How to get a network ID.
For more details, see the command reference. Security groups are created empty. After creating a security group, add security rules to it and then assign it to VMs.

Adding security rules to security groups

To add a security rule to a security group, run nebius vpc security-rule create. For example, to create an egress security rule, run the following command: 
nebius vpc security-rule create \
  --parent-id <security_group_ID> \
  --name <name> \
  --access <allow|deny> \
  --egress-destination-cidrs "<CIDR_block_1>,<CIDR_block_2>,..." \
  --egress-destination-ports "<CIDR_port_1>,<CIDR_port_2>,..." \
  --egress-destination-security-group-id <destination_security_group_ID> \
  --protocol <tcp|udp|icmp|any> \
  --type <stateful|stateless> \
  --priority <priority_from_1_to_1000>
To get a security group ID, run nebius vpc security-group list. The output contains the ID in the .metadata.id field. For more details, see:

Deleting security rules

To delete a security rule from a security group, run the nebius vpc security-rule delete command: 
nebius vpc security-rule delete <security_rule_ID>
To get the security rule ID, run nebius vpc security-rule list --parent-id <security_group_ID>. For more details, see the command reference. If you delete all security rules from a security group, it denies all traffic to and from VMs’ network interfaces that it is assigned to. For more details, see Security rule priorities.

Assigning security groups to VMs

A VM and security groups that are assigned to it must be associated with the same network. To assign a security group to a VM’s network interface, add the security group ID to the specification of the network interface when creating or modifying the VM. For example, to add a security group to an existing VM, perform the following steps:
  1. Run nebius compute instance edit <VM_ID>.
  2. Modify the .spec.network_interfaces field: 
     spec:
   network_interfaces:
     - ip_address:
         allocation_id: vpcallocation-***
       name: eth0
       public_ip_address:
         static: false
       subnet_id: vpcsubnet-***
+      security_groups:
+        - id: vpcsecuritygroup-***
  3. Save the edited specification and exit the editor to apply the change to the VM.
To get the security group ID, run nebius vpc security-group list. For more details, see reference for commands that create and modify VMs: If no security groups are assigned to a VM’s network interface, the default security group of the VM’s network controls traffic to and from this network interface. You can achieve this by making the list of the network interface’s security groups empty.

Deleting security groups

You can only delete non-default security groups that are not assigned to any VMs. Before deleting a security group, assign other security groups to its VMs or revert these VMs to defaults. For more details, see Assigning security groups to VMs.
To delete a security group, run nebius vpc security-group delete: 
nebius vpc security-group delete <security_group_ID>
To get the security group ID, run nebius vpc security-group list.