diff --git a/templates/baremetal-ports-extra-node-port-security.yaml b/templates/baremetal-ports-extra-node-port-security.yaml
index 16a2433..b91394d 100644
--- a/templates/baremetal-ports-extra-node-port-security.yaml
+++ b/templates/baremetal-ports-extra-node-port-security.yaml
@@ -21,6 +21,23 @@ parameters:
 
 resources:
 
+  extra_node_sg:
+    type: OS::Neutron::SecurityGroup
+    properties:
+      name:
+        list_join:
+        - '_'
+        - - 'extranode'
+        - - {get_param: baremetal_prefix}
+          - {get_param: suffix}
+          - 'sg'
+      description: Ping, SSH
+      rules:
+      - protocol: icmp
+      - protocol: tcp
+        port_range_min: 22
+        port_range_max: 22
+
   private_port:
     type: OS::Neutron::Port
     properties:
@@ -31,6 +48,8 @@ resources:
           - {get_param: baremetal_prefix}
           - {get_param: suffix}
       network: {get_param: private_net}
+      security_groups:
+      - {get_resource: extra_node_sg}
 
   provision_port:
     type: OS::Neutron::Port