Security Groups
Security Groups act as virtual firewalls for your TIR resources. They define which inbound and outbound traffic is permitted, giving you granular control over network access to your instances, inference endpoints, and training clusters.
Default Security Group
Every new project in TIR includes a Default Security Group pre-configured with:
| Rule | Detail |
|---|---|
| Port 22 (SSH) | Open by default to allow SSH access to nodes |
You can use this default group immediately when creating instances, or create additional groups for more specific access requirements.
Access Security Groups
- Open the TIR Dashboard.
- Go to Network → Security Groups in the sidebar.
The page lists all Security Groups for your project with their names, IDs, and rule summaries.
Create a Security Group
-
Click Create Security Group.
-
Fill in the following:
Field Description Name A unique name for the security group Description (Optional) A note to help identify its purpose Inbound Rules Define allowed incoming traffic — protocol, port range, and source Outbound Rules Define allowed outgoing traffic — protocol, port range, and destination -
Click Create.
Your new Security Group is immediately available to attach to any instance, inference endpoint, or training cluster.
Manage Rules
Each Security Group has two rule types:
| Rule Type | Controls |
|---|---|
| Inbound Rules | Incoming traffic to your resources |
| Outbound Rules | Outgoing traffic from your resources |
Add a Rule
- Open the Security Group and go to the Inbound Rules or Outbound Rules tab.
- Click Add Rule.
- Specify the protocol, port range, and source (for inbound) or destination (for outbound).
- Click Apply All Changes to save.
Newly added rules are marked as New before you apply changes. Click Remove to discard a rule before applying.
Remove a Rule
Click Remove next to any rule. Removed rules are highlighted until you confirm by clicking Apply All Changes.
If you select Source: My Account VPC, IAM users must have the appropriate MyAccount VPC permission. Without it, the VPC option will not appear in the dropdown.
Security Group Details
Each Security Group has three tabs:
| Tab | Shows |
|---|---|
| Overview | Name, ID, and description |
| Inbound Rules | All active inbound traffic rules |
| Outbound Rules | All active outbound traffic rules |
Edit a Security Group
You can update the name or description of any Security Group at any time. Existing rules are not affected.
Delete a Security Group
A Security Group cannot be deleted while it is attached to any resource. Detach it from all instances and endpoints first.
Best Practices
| Practice | Why |
|---|---|
| Use specific port ranges | Avoid opening all ports — restrict to only what your workload needs |
| Label groups by purpose | e.g., ssh-access, web-server, inference-internal |
| Review rules periodically | Remove stale rules that are no longer needed |
| Use the default group for SSH-only setups | Saves setup time for standard node access |