sgode/virtual-private-cloud
1
0
Fork 0
forked from docs/virtual-private-cloud
Code Pull Requests Activity
virtual-private-cloud/umn/source/security/security_group/security_group_configuration_examples.rst
proposalbot 05dbe4edc7 Changes to vpc_umn from docs/doc-exports#555 (VPC UMN 20230106 version 
For deta

Reviewed-by: Hajba, László Antal <laszlo-antal.hajba@t-systems.com>
Co-authored-by: proposalbot <proposalbot@otc-service.com>
Co-committed-by: proposalbot <proposalbot@otc-service.com>
2023-06-14 19:30:56 +00:00

8.9 KiB
Raw Permalink Blame History

original_name

en-us_topic_0081124350.html

Security Group Configuration Examples

Common security group configurations are presented here. The examples in this section allow all outgoing data packets by default. This section will only describe how to configure inbound rules.

  • Allowing External Access to a Specified Port <en-us_topic_0081124350__li2921164192410>

  • Enabling ECSs in Different Security Groups to Communicate with Each Other Through an Internal Network <en-us_topic_0081124350__section14197522283>
  • Enabling Specified IP Addresses to Remotely Access ECSs in a Security Group <en-us_topic_0081124350__section17693183118306>
  • Remotely Connecting to Linux ECSs Using SSH <en-us_topic_0081124350__section115069253338>
  • Remotely Connecting to Windows ECSs Using RDP <en-us_topic_0081124350__section168046312349>
  • Enabling Communication Between ECSs <en-us_topic_0081124350__section34721049193411>
  • Hosting a Website on ECSs <en-us_topic_0081124350__section1517991516357>
  • Enabling an ECS to Function as a DNS Server <en-us_topic_0081124350__section2910346123520>
  • Uploading or Downloading Files Using FTP <en-us_topic_0081124350__section5964121693610>

You can use the default security group or create a security group in advance. For details, see sections Creating a Security Group <en-us_topic_0013748715> and Adding a Security Group Rule <en-us_topic_0030969470>.

Allowing External Access to a Specified Port

  • Example scenario:

    After services are deployed, you can add security group rules to allow external access to a specified port (for example, 1100).

  • Security group rule:

    Direction Protocol Port Source
    Inbound TCP 1100 0.0.0.0/0

Enabling ECSs in Different Security Groups to Communicate with Each Other Through an Internal Network

  • Example scenario:

    Resources on an ECS in a security group need to be copied to an ECS associated with another security group. The two ECSs are in the same VPC. We recommend that you enable private network communication between the ECSs and then copy the resources.

  • Security group configuration:

    Within a given VPC, ECSs in the same security group can communicate with one another by default. However, ECSs in different security groups cannot communicate with each other by default. To enable these ECSs to communicate with each other, you need to add certain security group rules.

    You can add an inbound rule to the security groups containing the ECSs to allow access from ECSs in the other security group. The required rule is as follows.

    Direction Protocol Port Source
    Inbound

    TCP

    Note

    Select a protocol used for communication through an internal network.

    		 All

    ID of another security group

    Example: 014d7278-XXX-530c95350d43

Enabling Specified IP Addresses to Remotely Access ECSs in a Security Group

  • Example scenario:

    To prevent ECSs from being attacked, you can change the port for remote login and configure security group rules that allow only specified IP addresses to remotely access the ECSs.

  • Security group configuration:

    To allow IP address 192.168.20.2 to remotely access Linux ECSs in a security group over the SSH protocol (port 22), you can configure the following security group rule.

    Direction Protocol Port Source
    Inbound SSH 22

    IPv4 CIDR block or ID of another security group

    For example, 192.168.20.2/32

Remotely Connecting to Linux ECSs Using SSH

  • Example scenario:

    After creating Linux ECSs, you can add a security group rule to enable remote SSH access to the ECSs.

  • Security group rule:

    Direction Protocol Port Source
    Inbound SSH 22 0.0.0.0/0

Remotely Connecting to Windows ECSs Using RDP

  • Example scenario:

    After creating Windows ECSs, you can add a security group rule to enable remote RDP access to the ECSs.

  • Security group rule:

    Direction Protocol Port Source
    Inbound RDP 3389 0.0.0.0/0

Enabling Communication Between ECSs

  • Example scenario:

    After creating ECSs, you need to add a security group rule so that you can run the ping command to test communication between the ECSs.

  • Security group rule:

    Direction Protocol Port Source
    Inbound ICMP All 0.0.0.0/0

Hosting a Website on ECSs

  • Example scenario:

    If you deploy a website on your ECSs and require that your website be accessed over HTTP or HTTPS, you can add rules to the security group used by the ECSs that function as the web servers.

  • Security group rule:

    Direction Protocol Port Source
    Inbound HTTP 80 0.0.0.0/0
    Inbound HTTPS 443 0.0.0.0/0

Enabling an ECS to Function as a DNS Server

  • Example scenario:

    If you need to use an ECS as a DNS server, you must allow TCP and UDP access from port 53 to the DNS server. You can add the following rules to the security group associated with the ECS.

  • Security group rules:

    Direction Protocol Port Source
    Inbound TCP 53 0.0.0.0/0
    Inbound UDP 53 0.0.0.0/0

Uploading or Downloading Files Using FTP

  • Example scenario:

    If you want to use File Transfer Protocol (FTP) to upload files to or download files from ECSs, you need to add a security group rule.

    Note

    You must first install the FTP server program on the ECSs and check whether ports 20 and 21 are working properly.

  • Security group rule:

    Direction Protocol Port Source
    Inbound TCP 20-21 0.0.0.0/0