# Security groups

Security groups act as virtual firewalls that control inbound and outbound traffic to your instances. Our 3 nodes will need to open up connection ports for SSH access, and for each of the 4 network layers to communicate over.

#### Create a Security Group[​](https://docs.constellationnetwork.io/sdk/guides/deploy-a-metagraph/security-groups#create-a-security-group) <a href="#create-a-security-group" id="create-a-security-group"></a>

First, navigate to the **`Security Groups`** section in the Amazon [EC2 console](https://us-west-2.console.aws.amazon.com/ec2/home).

![Menu ec2](https://docs.constellationnetwork.io/assets/images/security-group-1-0364dd14dd16936812e0eda2e47c4639.png)

**Click on `Create Security Group`**[**​**](https://docs.constellationnetwork.io/sdk/guides/deploy-a-metagraph/security-groups#click-on-create-security-group)

Create a new security group and provide a name, for example `MetagraphSecurityGroup`.

**Add Inbound Rules**[**​**](https://docs.constellationnetwork.io/sdk/guides/deploy-a-metagraph/security-groups#add-inbound-rules)

Inbound rules define which ports accept inbound connections on your node. We will need to open up ports for SSH access and for each of the metagraph layers.

Click **`Add Rule`** under the **`Inbound Rules`** section and add the following rules:

| Type       | Protocol | Port Range | Source    | Purpose    |
| ---------- | -------- | ---------- | --------- | ---------- |
| SSH        | TCP      | 22         | 0.0.0.0/0 | SSH access |
| Custom TCP | TCP      | 9000-9002  | 0.0.0.0/0 | gL0 layer  |
| Custom TCP | TCP      | 9100-9102  | 0.0.0.0/0 | mL0 layer  |
| Custom TCP | TCP      | 9200-9202  | 0.0.0.0/0 | cL1 layer  |
| Custom TCP | TCP      | 9300-9302  | 0.0.0.0/0 | dL1 layer  |