# Security Groups In DuploCloud, each Tenant is associated with its own Security Group, which allows unrestricted communication between all resources within that Tenant. This setup ensures that any computing resource in that Tenant can easily reach the services within that same Tenant. ## Adding Security Rules for a Tenant You can configure security rules for a Tenant to control which traffic is allowed to reach resources within it. This includes both IPv4 and IPv6 addresses, VPN clients, or traffic from other Tenants. 1. Navigate to **Administrator** -> **Tenants**. 2. Select the Tenant from the **NAME** column. 3. Select the **Security** tab. 4. Click **Add**. The **Add Tenant Security** pane displays.

Add Tenant Security pane

5. Complete the following fields:
FieldDescription (What the user does)
Source TypeSelect Tenant to allow access from another DuploCloud Tenant, or IP Address to allow traffic from a specific IP or VPN range.
TenantIf Source Type = Tenant, select the Tenant you want to allow access from.
IP CIDRIf Source Type = IP Address, select Custom to manually enter an IP or CIDR (IPv4 or IPv6), or VpnIp to allow access from VPN clients.
ProtocolChoose the protocol for the rule: TCP, UDP, or ICMP.
Port RangeIf the protocol is TCP or UDP, specify the port range (for example, 1-65535).
DescriptionOptionally, add a note describing the purpose of the rule.
6. Click **Add** to save the Security rule. ### Allowing Inter-Tenant Access To enable traffic between two DuploCloud Tenants, you create a Tenant security group rule: 1. Follow the steps in Adding Security Group Rules for a Tenant to open the Add Tenant Security pane. 2. In **Source Type**, select **Tenant**. 3. In **Tenant**, select the Tenant you want to allow access from. 4. Configure **Protocol** and **Port Range** as needed. 5. Optionally, enter a **Description** for the rule. 6. Click **Add**. This rule allows all resources in the selected source Tenant to communicate with resources in the current Tenant according to the ports and protocol you specified. ### **Configuring Azure VNet Security** In Azure, security is implemented at the **Virtual Network (VNet)** level. All traffic within the VNet is allowed by default. However, Administrators can override this behavior by setting up security rules to control traffic between different VNets or from a VNet to external resources. 1. From the DuploCloud Portal, navigate to **Administrator** -> **Infrastructure**. 2. Select the Infrastructure you want to manage access for from the **NAME** column. 3. Select the **Security Group Rules** tab. 4. Click **Add**. The **Add Infrastructure Security** pane displays.

The Add Infrastructure Security pane

5. Complete the fields:
NameA unique name for the rule.
SubnetThe subnet this rule will apply to (e.g., custom-default).
DirectionWhether the rule applies to Inbound or Outbound traffic.
Source TypeThe source of the traffic: IP Address, Service Tag, or Application Security Group.
Source ValueIP/CIDR (e.g., 10.0.0.0/8), service tag (e.g., Internet), or ASG name.
Source Port RangePort or port range from the source (e.g., *, 443, 1000-2000).
Destination TypeThe destination: IP Address, Service Tag, or Application Security Group.
Destination ValueIP/CIDR, Service tag, or ASG name for the destination.
Destination Port RangePort or port range to allow/deny at the destination.
PriorityRule priority. Lower values are higher priority (e.g., 100, 200).
ProtocolChoose TCP, UDP, or Both.
ActionSelect Allow or Deny to permit or block the traffic.
5. Click **Add**. The Security Group Rule is configured. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.duplocloud.com/docs/automation-platform/security-and-compliance/access-control/security-groups.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.