Configure security groups

This guide shows you how to create and manage security groups and their rules using the evroc CLI or Kubernetes API.

For information about security groups and how they work, see Security Groups.

Prerequisites

• Access to an evroc organization and resource group
• evroc CLI installed and configured, or kubectl configured to access the evroc Kubernetes API

Using default security groups for SSH access

Each resource group includes a default-sto-1-ssh security group that allows SSH access from any IP address. This provides a convenient way to enable SSH access without creating custom rules.

Add this security group to a VM when creating it or via update:

Using the CLI:

evroc compute vm update myvm --security-group=default-sto-1-ssh

Using the API:

spec:
  networking:
    securityGroups:
      securityGroupMemberships:
        - name: default-sto-1-ssh

For more information about default security groups, see Security Groups.

Create a security group

Create a security group to control network traffic to and from your virtual machines.

Using the CLI

Create an empty security group with the evroc networking securitygroup create command:

evroc networking securitygroup create my-sg

Using the API

Create a security group by applying a YAML configuration:

apiVersion: networking.evroclabs.net/v1alpha1
kind: SecurityGroup
metadata:
  name: my-sg
spec:
  rules:
  - direction: Egress
    name: allowEgress
    remote:
      address:
        IPAddressOrCIDR: 0.0.0.0/0
      securityGroupRef: {}
      subnetRef: {}
  - direction: Ingress
    name: allowSSH
    port: 22
    protocol: TCP
    remote:
      address:
        IPAddressOrCIDR: 0.0.0.0/0
      securityGroupRef: {}
      subnetRef: {}
  - direction: Ingress
    name: allowHTTPS
    port: 443
    protocol: TCP
    remote:
      address:
        IPAddressOrCIDR: 0.0.0.0/0
      securityGroupRef: {}
      subnetRef: {}

Apply the configuration:

kubectl apply -f securitygroup.yaml

Add a rule to a security group

Add rules to allow or restrict specific network traffic.

Using the CLI

Add an ingress rule to allow SSH access from anywhere:

evroc networking securitygroup addrule my-sg \
  --name=allow-ssh-from-anywhere \
  --direction=Ingress \
  --ip-address-or-cidr=0.0.0.0/0 \
  --port=22 \
  --protocol=TCP

Add an ingress rule to allow HTTPS access from a specific CIDR range:

evroc networking securitygroup addrule my-sg \
  --name=allow-https-from-office \
  --direction=Ingress \
  --ip-address-or-cidr=203.0.113.0/24 \
  --port=443 \
  --protocol=TCP

Using the API

Add rules by updating the security group specification to include them in the rules list, then apply the updated configuration.

Attach a security group to a VM

Add a virtual machine to a security group to apply the group's rules to the VM's network traffic.

Using the CLI

When updating a VM's security groups, you must specify the complete list of security groups the VM should belong to. For example, if a VM is in default-sto-1 and allow-https, and you want to add allow-ssh, specify all three groups:

evroc compute vm update myvm \
  --security-group=default-sto-1 \
  --security-group=allow-https \
  --security-group=allow-ssh

Using the API

Edit the VM specification to include the security group in the securityGroupMemberships list:

apiVersion: compute.evroclabs.net/v1alpha1
kind: VirtualMachine
metadata:
  name: myvm
spec:
  networking:
    securityGroups:
      securityGroupMemberships:
        - name: default-sto-1
        - name: my-sg
  # ... other fields

Apply the configuration:

kubectl apply -f vm.yaml

View security group rules

Using the CLI

View the rules configured in a security group:

evroc networking securitygroup showrules my-sg

Sample output:

[
    {
        "name": "allow-ssh-from-anywhere",
        "direction": "Ingress",
        "protocol": "TCP",
        "port": 22,
        "remote": {
            "securityGroupRef": {},
            "subnetRef": {},
            "address": {
                "IPAddressOrCIDR": "0.0.0.0/0"
            }
        }
    }
]

Using the API

View detailed security group information including rules:

kubectl describe securitygroup my-sg

Sample output:

apiVersion: networking.evroclabs.net/v1alpha1
kind: SecurityGroup
metadata:
  name: my-sg
...
status:
  conditions:
  - lastTransitionTime: "2025-05-20T07:13:04Z"
    message: ""
    reason: Ready
    status: "True"
    type: Ready

Remove a rule from a security group

Delete rules you no longer need.

Using the CLI

Remove a rule by name:

evroc networking securitygroup removerule my-sg --name=allow-ssh-from-anywhere

Using the API

Remove a rule by editing the security group specification to delete it from the rules list, then apply the updated configuration.

List security groups

Using the CLI

List all security groups in your resource group:

evroc networking securitygroup list

Sample output:

 Name            Ready
-------         -------
 default-sto-1   True
 my-sg           True

Using the API

List security groups using kubectl:

kubectl get securitygroups

Sample output:

NAME            READY
default-sto-1   True
my-sg           True

Delete a security group

Delete security groups you no longer need. A security group must not be attached to any virtual machines before you can delete it.

Using the CLI

Delete a security group:

evroc networking securitygroup delete my-sg

Using the API

Delete a security group using kubectl:

kubectl delete securitygroup my-sg

Next steps

• Learn about Public IPs for enabling inbound internet access
• See how to create a virtual machine with security groups
• See the Security Groups API reference for complete field descriptions