Security groups act as virtual firewalls controlling inbound and outbound traffic for instances and other resources.
Methods
New
Create a new security group with rules.
func (r *SecurityGroupService) New(ctx context.Context, params SecurityGroupNewParams, opts ...option.RequestOption) (*TaskIDList, error)
func (r *SecurityGroupService) NewAndPoll(ctx context.Context, params SecurityGroupNewParams, opts ...option.RequestOption) (*SecurityGroup, error)
Security group description
Initial security group rules. If not provided, default egress rules are created. Set to empty array for no rules
List of rules in the security group
Update
Update security group name, description, or rules.
func (r *SecurityGroupService) Update(ctx context.Context, groupID string, params SecurityGroupUpdateParams, opts ...option.RequestOption) (*TaskIDList, error)
func (r *SecurityGroupService) UpdateAndPoll(ctx context.Context, groupID string, params SecurityGroupUpdateParams, opts ...option.RequestOption) (*SecurityGroup, error)
Complete desired set of rules (existing rules not in this list will be removed)
Tags to add, update, or remove
When updating rules, you must specify the complete desired state. Rules not included will be removed.
List
List all security groups.
func (r *SecurityGroupService) List(ctx context.Context, params SecurityGroupListParams, opts ...option.RequestOption) (*pagination.OffsetPage[SecurityGroup], error)
func (r *SecurityGroupService) ListAutoPaging(ctx context.Context, params SecurityGroupListParams, opts ...option.RequestOption) *pagination.OffsetPageAutoPager[SecurityGroup]
Filter by exact name match
Get
Get security group details.
func (r *SecurityGroupService) Get(ctx context.Context, groupID string, query SecurityGroupGetParams, opts ...option.RequestOption) (*SecurityGroup, error)
Delete
Delete a security group and all its rules.
func (r *SecurityGroupService) Delete(ctx context.Context, groupID string, body SecurityGroupDeleteParams, opts ...option.RequestOption) error
Copy
Create a deep copy of an existing security group.
func (r *SecurityGroupService) Copy(ctx context.Context, groupID string, params SecurityGroupCopyParams, opts ...option.RequestOption) (*SecurityGroup, error)
Name for the copied security group
RevertToDefault
Revert a security group to its previous state.
func (r *SecurityGroupService) RevertToDefault(ctx context.Context, groupID string, body SecurityGroupRevertToDefaultParams, opts ...option.RequestOption) (*SecurityGroup, error)
Security Group Rules
Each rule defines:
Traffic direction: ingress (incoming) or egress (outgoing)
Network protocol: tcp, udp, icmp, any, or others
Minimum port number (null for all ports)
Maximum port number (null for all ports)
Allowed CIDR block (e.g., “0.0.0.0/0” for all)
Allow traffic from another security group
Examples
Create Security Group with SSH and HTTP Rules
import (
"context"
"github.com/G-Core/gcore-go"
"github.com/G-Core/gcore-go/cloud"
"github.com/G-Core/gcore-go/option"
)
client := gcore.NewClient(
option.WithCloudProjectID(projectID),
option.WithCloudRegionID(regionID),
)
rules := []cloud.SecurityGroupNewParamsRule{
// Allow SSH from anywhere
{
Direction: "ingress",
Ethertype: "IPv4",
Protocol: "tcp",
PortRangeMin: param.NewOpt[int64](22),
PortRangeMax: param.NewOpt[int64](22),
RemoteIPPrefix: param.NewOpt("0.0.0.0/0"),
Description: param.NewOpt("Allow SSH"),
},
// Allow HTTP
{
Direction: "ingress",
Ethertype: "IPv4",
Protocol: "tcp",
PortRangeMin: param.NewOpt[int64](80),
PortRangeMax: param.NewOpt[int64](80),
RemoteIPPrefix: param.NewOpt("0.0.0.0/0"),
Description: param.NewOpt("Allow HTTP"),
},
// Allow HTTPS
{
Direction: "ingress",
Ethertype: "IPv4",
Protocol: "tcp",
PortRangeMin: param.NewOpt[int64](443),
PortRangeMax: param.NewOpt[int64](443),
RemoteIPPrefix: param.NewOpt("0.0.0.0/0"),
Description: param.NewOpt("Allow HTTPS"),
},
}
securityGroup, err := client.Cloud.SecurityGroups.NewAndPoll(context.Background(),
cloud.SecurityGroupNewParams{
Name: "web-server-sg",
Description: param.NewOpt("Security group for web servers"),
Rules: rules,
Tags: map[string]string{"tier": "web"},
},
)
if err != nil {
log.Fatal(err)
}
fmt.Printf("Created security group: %s\n", securityGroup.ID)
Create Database Security Group
rules := []cloud.SecurityGroupNewParamsRule{
// Allow PostgreSQL from application security group
{
Direction: "ingress",
Ethertype: "IPv4",
Protocol: "tcp",
PortRangeMin: param.NewOpt[int64](5432),
PortRangeMax: param.NewOpt[int64](5432),
RemoteGroupID: param.NewOpt(appSecurityGroupID),
Description: param.NewOpt("Allow PostgreSQL from app tier"),
},
}
dbSecurityGroup, err := client.Cloud.SecurityGroups.NewAndPoll(context.Background(),
cloud.SecurityGroupNewParams{
Name: "database-sg",
Description: param.NewOpt("Database tier security group"),
Rules: rules,
},
)
List All Security Groups
securityGroups, err := client.Cloud.SecurityGroups.List(context.Background(),
cloud.SecurityGroupListParams{},
)
if err != nil {
log.Fatal(err)
}
for _, sg := range securityGroups.Results {
fmt.Printf("Security Group: %s (%d rules)\n",
sg.Name, len(sg.SecurityGroupRules))
}
Get Security Group Details
securityGroup, err := client.Cloud.SecurityGroups.Get(context.Background(),
groupID,
cloud.SecurityGroupGetParams{},
)
if err != nil {
log.Fatal(err)
}
fmt.Printf("Security Group: %s\n", securityGroup.Name)
for _, rule := range securityGroup.SecurityGroupRules {
fmt.Printf" Rule: %s %s port %d-%d\n",
rule.Direction, rule.Protocol,
rule.PortRangeMin, rule.PortRangeMax)
}
Update Security Group Rules
// Get current rules
securityGroup, err := client.Cloud.SecurityGroups.Get(context.Background(),
groupID, cloud.SecurityGroupGetParams{},
)
// Add new rule to existing rules
newRules := []cloud.SecurityGroupUpdateParamsRule{}
for _, rule := range securityGroup.SecurityGroupRules {
newRules = append(newRules, cloud.SecurityGroupUpdateParamsRule{
Direction: rule.Direction,
Ethertype: rule.Ethertype,
Protocol: rule.Protocol,
PortRangeMin: param.NewOpt(rule.PortRangeMin),
PortRangeMax: param.NewOpt(rule.PortRangeMax),
RemoteIPPrefix: param.NewOpt(rule.RemoteIPPrefix),
})
}
// Add HTTPS rule
newRules = append(newRules, cloud.SecurityGroupUpdateParamsRule{
Direction: "ingress",
Ethertype: "IPv4",
Protocol: "tcp",
PortRangeMin: param.NewOpt[int64](443),
PortRangeMax: param.NewOpt[int64](443),
RemoteIPPrefix: param.NewOpt("0.0.0.0/0"),
})
securityGroup, err = client.Cloud.SecurityGroups.UpdateAndPoll(context.Background(),
groupID,
cloud.SecurityGroupUpdateParams{
Rules: newRules,
},
)
Copy Security Group
copiedSG, err := client.Cloud.SecurityGroups.Copy(context.Background(),
groupID,
cloud.SecurityGroupCopyParams{
Name: "web-server-sg-staging",
},
)
Delete Security Group
err := client.Cloud.SecurityGroups.Delete(context.Background(),
groupID,
cloud.SecurityGroupDeleteParams{},
)
Common Use Cases
Allow Traffic from Specific IP Range
rules := []cloud.SecurityGroupNewParamsRule{
{
Direction: "ingress",
Ethertype: "IPv4",
Protocol: "tcp",
PortRangeMin: param.NewOpt[int64](22),
PortRangeMax: param.NewOpt[int64](22),
RemoteIPPrefix: param.NewOpt("10.0.0.0/8"), // Internal network only
Description: param.NewOpt("SSH from internal network"),
},
}
Allow All Outbound Traffic
rules := []cloud.SecurityGroupNewParamsRule{
{
Direction: "egress",
Ethertype: "IPv4",
Protocol: "any",
RemoteIPPrefix: param.NewOpt("0.0.0.0/0"),
Description: param.NewOpt("Allow all outbound"),
},
}
Allow ICMP (Ping)
rules := []cloud.SecurityGroupNewParamsRule{
{
Direction: "ingress",
Ethertype: "IPv4",
Protocol: "icmp",
RemoteIPPrefix: param.NewOpt("0.0.0.0/0"),
Description: param.NewOpt("Allow ping"),
},
}
