1 of 15

Network Security Groups

Network Security Groups (NSGs) serve as centralized firewall policy managers, enabling the filtering of network traffic to and from virtual network resources within a given .

An NSG contains security firewall rules that allow or deny ingress (incoming) and egress (outgoing) network traffic for or resources configured as NSG members. Each rule can specify the source and destination, port, and protocol.

Note: Network Security Groups are currently accessible only via the Cloud API v6. The DCD support will be available soon.

Product Overview

Developer Tools

API How-Tos

Frequently Asked Questions (FAQs)

Overview

Network Security Groups (NSGs) act as centralized firewall policy managers that allow you to filter and control network traffic to and from virtual network resources within a given .

NSGs are a fundamental element of network security that allows you to control inbound and outbound traffic of or instances. NSGs contain security rules that allow or deny traffic based on various criteria, such as source and destination IP addresses, ports, and protocols.

NSGs are of two types: Default and Custom. Every newly created VM in a VDC is automatically added to the "Default" NSG and comes with a set of pre-configured rules that allow basic infrastructure traffic for VMs and NICs in a VDC. You can customize both Default and Custom NSGs according to your needs.

Features and Benefits

The following are some key features and benefits of NSGs:

Centralized Policy Management: NSGs offered by IONOS act as a centralized policy manager where firewall policy templates can be defined for a given Virtual Data Center (VDC). This streamlines the management of firewall rules across multiple network interfaces and VM instances.
Flexibility with Default and Custom NSGs: NSGs are of two types: Default and Custom. You can customize both Default and Custom NSGs according to your needs.
Stateful Virtual Firewall: Each security group acts as a stateful virtual firewall, controlling both inbound and outbound traffic. This ensures that only authorized traffic, based on defined protocols and port numbers, is allowed to flow through.
Integration with NIC-based firewall rules: You can complement the NSG rules by configuring NIC-based firewall rules, providing additional flexibility and customization options.
Fine-Grained Access Control: NSGs enable fine-grained access control at the level of Virtual Machines (VMs) and network interfaces (NICs). This ensures that security policies can be applied based on different criteria to enhance security.
Enhanced Customer Experience: You can get a more intuitive way of handling firewall rules for a VDC. NSGs address the need by enhancing the overall customer experience on the IONOS Cloud platform.

API How-Tos

Cloud API allows contract administrators, owners, and authenticated users with the required permissions to create a NSG and associate it with Network Interface Cards (NICs) or Virtual Machine (VM) resources.

Create a Default Network Security Group

Note: Only contract administrators, owners, and users with both permissions to the VDC concerned and createNetworkSecurityGroups privilege can create NSGs via API.

Prerequisite: You need an IONOS Cloud account with API credentials configured with the appropriate permissions.

You can create a Default NSG with predefined rules at the time of creation or during the update of a datacenter. You can use any of the following Cloud API requests with the property createDefaultSecurityGroup set to trueand the other required properties:

POST /datacenters/

PUT /datacenters/{datacenterId}

PATCH /datacenters/{datacenterId}

Request

curl --location 'https://api.ionos.com/cloudapi/v6/datacenters/' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic YYXabCDeFmLMO0c2hyYUBpb25vcy5jb206I1Bha2lzdGFuXzE=' \
--data '{
  "properties": {
    "name": "Production Datacenter",
    "description": "My Production Datacenter",
    "location": "us/las",
    "createDefaultSecurityGroup": true
  }
}'

Response

202 Accepted

{
 "id": "15f67991-0f51-4efc-a8ad-ef1fb31a480c",
 "type": "datacenter",
 "href": "<RESOURCE-URI>",
 "metadata": {
  "etag": "45480eb3fbfc31f1d916c1eaa4abdcc3",
  "createdDate": "2015-12-04T14:34:09.809Z",
  "createdBy": "user@example.com",
  "createdByUserId": "user@example.com",
  "lastModifiedDate": "2015-12-04T14:34:09.809Z",
  "lastModifiedBy": "user@example.com",
  "lastModifiedByUserId": "63cef532-26fe-4a64-a4e0-de7c8a506c90",
  "state": "AVAILABLE"
 },
 "properties": {
  "name": "Production datacenter",
  "description": "My Production Datacenter",
  "location": "us/las",
  "version": 8,
  "features": [
   "SSD"
  ],
  "secAuthProtection": true,
  "cpuArchitecture": [
   {
    "cpuFamily": "INTEL_ICELAKE",
    "maxCores": 62,
    "maxRam": 245760,
    "vendor": "AuthenticAMD"
   }
  ],
  "ipv6CidrBlock": "2001:db8:b06d:8f00::/56",
  "defaultSecurityGroupId": "15f67991-0f51-4efc-a8ad-ef1fb31a480c"
 }
}

Note: For CloudAPI, some resources are created asynchronously. You can check for the progress via the Status URL that is returned in the response header of the POST or PUT call.

Create a Custom Network Security Group

Note: Only contract administrators, owners, and users with both permissions to the VDC concerned and createNetworkSecurityGroups privilege can create NSGs via API.

Prerequisite: You need an IONOS Cloud account with API credentials configured with the appropriate permissions.

To create a Custom NSG, you need to use the following POST request providing the datacenterIdand the required properties:

POST /datacenters/{datacenterId}/securitygroups

Request

Response

202 Accepted

Note: For CloudAPI, some resources are created asynchronously. You can check for the progress via the Status URL that is returned in the response header of the POST or PUT call.

Convert a Custom Network Security Group to Default

Note: Only contract administrators, owners, and users with permissions to the VDC concerned can create and manage NSGs via API.

Prerequisite: You need an IONOS Cloud account with API credentials configured with the appropriate permissions.

You can convert a Custom NSG to a Default NSG during the update of a datacenter. You can use any of the following requests with the property defaultSecurityGroupId set to UUID of the NSG to be converted and the other required properties:

PUT /datacenters/{datacenterId}

PATCH /datacenters/{datacenterId}

Request

Response

202 Accepted

Note: For CloudAPI, some resources are created asynchronously. You can check for the progress via the Status URL that is returned in the response header of the POST or PUT call.

Retrieve Network Security Groups

Note: Only contract administrators, owners, and users with permissions to the VDC concerned can create and manage NSGs via API.

Prerequisite: You need an IONOS Cloud account with API credentials configured with the appropriate permissions.

To retrieve the NSGs, you need to use the following GET request using the datacenter ID:

GET /datacenters/{datacenterId}/securitygroups

Request

Response

200 OK

Retrieve Network Security Groups by Group ID

Note: Only contract administrators, owners, and users with permissions to the VDC concerned can create and manage NSGs via API.

Prerequisite: You need an IONOS Cloud account with API credentials configured with the appropriate permissions.

To retrieve the NSGs, you need to use the following GET request using the datacenter ID and securityGroupId:

GET /datacenters/{datacenterId}/securitygroups/{securityGroupId}

Request

Response

200 OK

Update a Network Security Group

Note: Only contract administrators, owners, and users with permissions to the VDC concerned can create and manage NSGs via API.

Prerequisite: You need an IONOS Cloud account with API credentials configured with the appropriate permissions.

To update a NSG, you need to use the following PUTor PATCH request providing the datacenterId, securityGroupIdand the required properties:

PUT(PATCH) /datacenters/{datacenterId}/securitygroups/{securityGroupId}

Request

Response

202 Accepted

Note: For CloudAPI, some resources are created asynchronously. You can check for the progress via the Status URL that is returned in the response header of the POST or PUT call.

Delete a Network Security Group

Note: Only contract administrators, owners, and users with permissions to the VDC concerned can create and manage NSGs via API.

Prerequisite: You need an IONOS Cloud account with API credentials configured with the appropriate permissions.

To delete a NSG, you need to use the following Cloud API DELETE request providing the datacenterId and securityGroupId:

DELETE /datacenters/{datacenterId}/securitygroups/{securityGroupId}

Request

curl --location --request DELETE 'https://api.ionos.com/cloudapi/v6/datacenters/5a88aa8b-8aa1-51f6-XXd1-XXXXXe9f31/securitygroups/bxxxx-axXX-0008-8888-99k0444e5555/' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic YYXabCDeFmLMO0c2hyYUBpb25vcy5jb206I1Bha2lzdGFuXzE=' \

Response

202 Accepted

Create Firewall rule for a Network Security Group

Note: Only contract administrators, owners, and users with permissions to the VDC concerned can create and manage NSGs via API.

Prerequisite: You need an IONOS Cloud account with API credentials configured with the appropriate permissions.

To create a firewall rule for a NSG, you need to use the following Cloud API POST request providing the datacenterId and securityGroupId:

POST /datacenters/{datacenterId}/securitygroups/{securityGroupId}/rules

Request

curl --location 'https://api.ionos.com/cloudapi/v6/datacenters/5a88aa8b-8aa1-51f6-XXd1-XXXXXe9f31/securitygroups/bxxxx-axXX-0008-8888-99k0444e5555/rules' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic YYXabCDeFmLMO0c2hyYUBpb25vcy5jb206I1Bha2lzdGFuXzE=' \
--data '{
    "properties":{
        "name": "My FWR",
        "protocol": "TCP",
        "sourceMac": "00:0a:95:9d:68:16",
        "ipVersion": "IPv4",
        "sourceIp": "22.231.113.12",
        "targetIp": "22.231.113.64",
        "portRangeStart": 8,
        "portRangeEnd": 8,
        "type": "INGRESS"
        }
}'

Response

202 Accepted

{
    "id": "0XX070155-XXaf-XXbb-XX20-088x8f0f8137",
    "type": "firewall-rule",
    "href": "https://api.ionos.com/cloudapi/v6/datacenters/5a88aa8b-8aa1-51f6-XXd1-XXXXXe9f31/securitygroups/bxxxx-axXX-0008-8888-99k0444e5555/rules/0d070155-85af-4abb-9120-058c4f0f8137",
    "metadata": {
        "etag": "aca11533be9480b3df9324a7976dd42a",
        "createdDate": "2024-05-21T14:20:32Z",
        "createdBy": "test.test@ionos.com",
        "createdByUserId": "a5af0375-1c1d-4387-9ef1-6ee95d30e54a",
        "lastModifiedDate": "2024-05-21T14:20:32Z",
        "lastModifiedBy": "test.test@ionos.com",
        "lastModifiedByUserId": "a5af0375-1c1d-4387-9ef1-6ee95d30e54a",
        "state": "BUSY"
    },
    "properties": {
        "name": "My FWR",
        "protocol": "TCP",
        "sourceMac": "00:0a:95:9d:68:16",
        "sourceIp": "22.231.113.12",
        "targetIp": "22.231.113.64",
        "icmpCode": null,
        "icmpType": null,
        "portRangeStart": 8,
        "portRangeEnd": 8,
        "ipVersion": "IPv4",
        "type": "INGRESS"
    }
}

Note: For CloudAPI, some resources are created asynchronously. You can check for the progress via the Status URL that is returned in the response header of the POST or PUT call.

Retrieve Firewall rules by Network Security Group ID

Note: Only contract administrators, owners, and users with permissions to the VDC concerned can create and manage NSGs via API.

Prerequisite: You need an IONOS Cloud account with API credentials configured with the appropriate permissions.

To retrieve the firewall rules by Network Security Group ID, you need to use one of the following Cloud APIGET request using the datacenterId and securityGroupId:

GET /datacenters/{datacenterId}/securitygroups/{securityGroupId}/rules

GET /datacenters/{datacenterId}/securitygroups/{securityGroupId}/rules/{ruleId}

Request

curl --location 'https://api.ionos.com/cloudapi/v6/datacenters/5a88aa8b-8aa1-51f6-XXd1-XXXXXe9f31/securitygroups/b0a54xyz-abcd-8008-8883-XX0e0428e888/rules' \
--header 'Authorization: Basic YYXabCDeFmLMO0c2hyYUBpb25vcy5jb206I1Bha2lzdGFuXzE='

Response

200 OK

{
    "id": "b0a54xyz-abcd-8008-8883-XX0e0428e888/rules",
    "type": "collection",
    "href": "https://api.ionos.com/cloudapi/v6/datacenters/5a88aa8b-8aa1-51f6-XXd1-XXXXXe9f31/securitygroups/b0a54xyz-abcd-8008-8883-XX0e0428e888/rules",
    "items": [
        {
            "id": "0A0X0885-88ix-8xxX-1020-888a4f0f8137",
            "type": "firewall-rule",
            "href": "https://api.ionos.com/cloudapi/v6/datacenters/5a88aa8b-8aa1-51f6-XXd1-XXXXXe9f31/securitygroups/b0a54xyz-abcd-8008-8883-XX0e0428e888/rules/0A0X0885-88ix-8xxX-1020-888a4f0f8137"
        }
    ]
}

Delete Firewall rule from a Network Security Group

Note: Only contract administrators, owners, and users with permissions to the VDC concerned can create and manage NSGs via API.

Prerequisite: You need an IONOS Cloud account with API credentials configured with the appropriate permissions.

To delete a firewall rule from a NSG, you need to use the following Cloud API DELETE request providing the datacenterId, securityGroupId and ruleId:

DELETE /datacenters/{datacenterId}/securitygroups/{securityGroupId}/rules/{ruleId}

Request

curl --location --request DELETE 'https://api.ionos.com/cloudapi/v6/datacenters/5a88aa8b-8aa1-51f6-XXd1-XXXXXe9f31/securitygroups/bxxxx-axXX-0008-8888-99k0444e5555/rules/axxxx-axXX-0008-8888-99k0444e5555' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic YYXabCDeFmLMO0c2hyYUBpb25vcy5jb206I1Bha2lzdGFuXzE=' \

Response

202 Accepted

Attach a List of Security Groups to a Server or NIC

Note: Updating the list of Security Groups attached to an existing server specified by its ID. Security Groups should already exist as part of the datacenter.

Note: Only contract administrators, owners, and users with permissions to the VDC concerned can create and manage NSGs via API.

Prerequisite: You need an IONOS Cloud account with API credentials configured with the appropriate permissions.

To attach a list of NSGs to a server, you need to use the following Cloud API PUT request providing the datacenterId,serverId and the IDs of the security groups in the body:

PUT /datacenters/{datacenterId}/servers/{serverId}/securitygroups

Similarly for a NIC, provide the datacenterId, nicId and the IDs of the security groups in the body:

PUT /datacenters/{datacenterId}/servers/{serverId}/nic/{nicId}/securitygroups

Request

curl --location --request PUT 'https://api.ionos.com/cloudapi/v6/datacenters/5a88aa8b-8aa1-51f6-XXd1-XXXXXe9f31/servers/bxxxx-axXX-0008-8888-99k0444e5555/securitygroups' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic YYXabCDeFmLMO0c2hyYUBpb25vcy5jb206I1Bha2lzdGFuXzE=' \
--data '{
  "ids": [
    "ac51b8e4-050c-4941-b7cd-43923422fe6e",
    "ea737d87-8754-4a42-b97c-0b1a8f619de5"
  ]
}'

Response

200 Accepted

{
  "id": "15f67991-0f51-4efc-a8ad-ef1fb31a480c",
  "type": "collection",
  "href": "<RESOURCE-URI>",
  "items": [
    "string"
  ],
  "offset": 0,
  "limit": 1000,
  "_links": {
    "prev": "<PREVIOUS-PAGE-URI>",
    "self": "<THIS-PAGE-URI>",
    "next": "<NEXT-PAGE-URI>"
  }
}

FAQs

What is a Network Security Group?

A Network Security Group (NSG) is a fundamental component of network security within a VDC that acts as a virtual firewall, allowing you to control ingress and egress traffic to and from resources like Network Interface Cards (NICs) or Virtual Machine (VM).

What are its limitations?

NSG management is currently only supported via Cloud API. DCD support will be available soon.

What quotas or resource limits are applied to Network Security Groups?

Network Security Groups are subject to the below limits

Number of NSGs that can be created per VDC: 200
Number of rules that can be created per NSG: 100
Number of NSGs a VM can be a member of: 10
Number of NSGs a NIC can be a member of: 10

The limits and the current usage can be retrieved using the Cloud API request GET https://api.ionos.com/cloudapi/v6/contracts

For increasing any of the above limits please contact IONOS Cloud Support

What are the differences between default and custom NSG?

NSGs are of two types: Default and Custom. You can choose between a Default or a Custom NSG and customize them according to your needs. Create a Default NSG if you want the same set of rules to be applied to all VMs in your data center. If you want more fine-grained control and require the firewall rules to be applied only for a subset of VMs or NICs, create Custom NSGs

Only one Default NSG can be created per Virtual Data Center (VDC).
Every newly created VM in a VDC automatically becomes a member of the Default NSG.
The Default NSG comes with a set of pre-configured rules that allow basic traffic for VMs and Network Interface Cards (NICs) in a VDC.

You can create one or more Custom NSGs based on specific requirements.

What predefined rules does a default Network Security Group contain?

A default NSG contains 4 predefined rules that get applied to all member VMs and NICs. The rules behave as below

Allow all IPv4 Egress traffic
Allow all IPv6 Egress traffic
Allow IPv4 Ingress traffic only from 10.0.0.0/24
Allow IPv6 Ingress traffic only from the /56 IPv6 CIDR allocated to the data center

Which resource types can be members of a Network Security Group?

Both NICs and VMs can be members of a NSG. Each resource can be a member of one or more NSGs. When a VM is a member of a NSG, all NICs of the VM implicitly inherit the firewall rules.

Which developer tools support the Network Security Group feature?

NSG support is available in GO Cloud SDK and Terraform.