By definition, security groups are "[...] sets of IP filter rules that are applied to all project instances, which define networking access to the instance. Group rules are project specific; project members can edit the default rules for their group and add new rule sets". 
To create a security group click on Security Groups in the menu:
and then Create new Security Group in the top-right corner.
Remove default ingress rules
By default, a default group has been already created for you, allowing any sort of traffic from any source (ingress).
Usually, this is not recommended and a good approach is to either create and use a new security group than the default one -or- restrict ingress traffic to specific ports and sources.
In case we want use the default group, we first need to remove the two ingress rules that allow all incoming traffic.
Restrict SSH access
The next thing to do, is to allow SSH access on port 22 to the server, only from specific VPN(s). To do this we click on the "Create new rule" button.
If you don`t know your IP, simply visit whatsmyip.com. My IP is 18.104.22.168 so if I only want to SSH from my machine only, I insert 22.214.171.124/32 as CIDR. If I want to enable SSH access from any address in that range I will instead use 126.96.36.199/24.
Enable Web Traffic
Now we want everyone to be able to access the server on port 80 and 443. Using the same logic as before we click on "Create new rule".
We select TCP Protocol and port 80 as both min and max range value. This time, CIDR is left empty meaning we allow incoming traffic from any IP/source.
Same applies to 443 port.
Now we have all the rules for a simple web-server. Resulting in the following rules.
For any additional protocol or ingress rule, simply follow the same procedure as above.
 Manage project security - https://docs.openstack.org/nova/latest/admin/security-groups.html