Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about the best practices and new features of the elastic computing security group in ECS. Many people may not know much about it. In order to let you know more, Xiaobian summarizes the following contents for you. I hope you can gain something according to this article.

Friends who have used ECS must not be unfamiliar with security groups, which are virtual firewalls for ECS instances. Configuring security groups is an essential step in creating ECS instances or in making changes to network attributes. Below I will share the relevant content of the security group for you, mainly around the following three parts, the introduction of the security group, basic operations and best practices.

I. Introduction to the Security Group

ECS Network Access Control

First of all, what is a security group? The network access control of Alibaba Cloud ECS is implemented by two layers: subnet ACL and security group. As we all know, Alibaba Cloud provides VPC proprietary network, which is a unique Private Cloud for users. The VPC private network creates an independent network area for users, allowing users to plan their own network segments. In the absence of public IP, the VPC is completely isolated from the outside world.

The switch is bound with network ACL, ACL will correspond to some control rules, all network traffic passing through the switch must pass through these rules, generally configured is blacklist rules (of course, also support the designated white list), such as which network packets are not allowed to flow in or out.

The next layer is the security group we are going to talk about today. As opposed to subnet ACL, which takes effect on the switch, the firewall at the security group instance level takes effect on ECS. All ECS network traffic passing through users must pass through security groups.

A security group is a virtual firewall with stateful inspection and packet filtering capabilities used to partition security domains in the cloud. By configuring security group rules, you can control the inbound and outbound traffic of ECS instances within a security group.

A security group is a logical grouping of instances that share the same security requirements and trust each other within the same geographic area. In addition, the obvious difference between a security group and a subnet ACL is that a security group has state, and the security group automatically allows the return data flow to be unaffected by any rules. Simply put, if you actively request others, you will definitely receive the return packet. However, the switch is not. The incoming traffic will also go through the subnet ACL rules set up. If it is intercepted, it will not receive the return packet. Some users compare security groups to iptables, which are separate.

It is recommended that users use security groups alone, and ECS is fully supported if the user's scenario requires iptables. Security groups are generally whitelisted, as opposed to subnet ACL blacklisting.

ECS or Elastic Network Interface (Network Interface) must belong to at least one security group, and rules can be configured to control network connectivity by default for interworking within a security group.

II. Basic operation of safety group

Let's share with you how to operate and manage the security group in Alibaba Cloud ECS console.

For ease of understanding, we temporarily divide the operations on security groups into two categories, group operations and rule operations.

Group operations are operations directed at the security group itself, such as creating, deleting, changing the name, and operations that may cause changes in the IP in the security group, as well as adding instance network cards and replacing groups in the group. Rule operations are operations that change rules within a group, such as add, delete, modify, clone, etc.

Let's start with the operation of the group, such as adding and subtracting instances within the group, network cards and other operations are relatively simple, we will not specifically introduce them, focusing on the replacement group.

Replacement group: instances can be replaced from group A to group B. During the replacement process, there will be no network flash or jitter. Users only need to ensure that the rules of the new and old groups are compatible, and there will be no impact on the network and jitter during the entire replacement process.

Turning to the operation of the rules, we focus on restore, export import, Classic Link and clone groups.

Rule restore: merge or replace two sets of rules. Generally, a group can be cloned before experimental network changes are made. After testing, it can be restored to its original appearance through specification restore function. The following picture shows the page of specification restoration, showing which specifications are added and deleted.

Export Import: Download security groups as JSON files or CSV files for backup.

Classic Link: Network connectivity between VPC and classic networks by adding a security group rule.

Clone Groups: Clone groups support cross-region or cross-network type security group replication, from classic networks to VPCs or to a new Regen and quickly replicate a group.

III. Best practices

Finally, I will introduce you to better security group configuration practices, such as how to configure rules reasonably, how to use quintuple, and how to do network disconnection drills based on security groups.

Security Group Rule Format

First of all, let's introduce that there are two ways to configure security group rules:

CIDR: The example in the figure shows that DR machines with address 192.168.0.0/24 are granted access to port 22.

Organization authorization: The example shown in the figure denies access to all ports of the other group, completely cutting off traffic between the two groups.

The above two examples are all inbound rules. In general, you don't know which port the other party uses to connect to you, so there is no limit. The difference is that you can choose which port to expose to any object.

Ali also supports quintuples, as opposed to the quadruples shown above.

The quintuple consists of five parameters: source address, source port, destination address, destination port, and transport layer protocol. Take the inbound direction rule as an example, the use of quintuple can realize not to release the whole group, but to release a certain IP segment separately. In this way, in order to prevent third-party products from initiating illegal access to the user ECS instance, some network services in the platform need to set quintuple rules in the security group to more accurately control the outbound and inbound traffic. In addition, if the connectivity policy within the user group is a reject scenario, five-tuple is also required to accurately control the connectivity policy between ECS within the group. Five-tuple scenarios are special, and most four-tuple scenarios are competent.

Rule Configuration Advice

Planning first For distributed applications, different application types should be placed in different groups. Use whitelist to manage security groups. It is not recommended that users add a low-priority all-pass first and then reject them one by one. The 0.0.0.0/0 all-pass strategy should be used with caution. Follow the rule of minimal allocation. Use CIDR segments whenever possible, because of the limited capacity of a single group and because CIDR address segments are easier to extend and maintain. There is no restriction on the use of all protocols, not every protocol is matched once. Security group rules change is very high risk, to carefully write comments for subsequent maintenance.

Overview of potentially high-risk safety groups

Alibaba Cloud ECS will regularly check the user's instance. If the instance is exposed to the public environment and the high-risk port is opened, Alibaba will give an early warning to the user, and the user can view his high-risk security group in the resource overview page.

How to divide applications into security groups

In order to avoid interference between the test environment and the formal environment, Ali will isolate the test environment and the formal environment in different VPCs. Put all public network services in one group and intranet services in one group. Different application types should use different security groups, such as Web services, application services, databases, or caches, all of which should be placed in different security groups. For the examples in the figure below, since they all need to use the springboard machine, they are authorized to use the springboard group G1. The Web server needs to be connected to the application server, and the application server needs to be connected to the database, so they are authorized to use the group. This makes the network security group planning clear, easy to follow up maintenance, but also to meet the isolation and security requirements.

Use security groups to conduct network disconnection drills

Based on the security group, network disconnection drills can be conducted for scenarios such as high availability disaster recovery or chaos engineering. As shown in the case below, the performance of the system when data is suspended can be practiced. This DB can be added to a special network disconnection group, and the network disconnection group + full blocking specification can realize rapid large-scale network disconnection.

Dismantling the broken network process

Create a disconnected network group: Because the default connectivity policy within a group is interworking within the group, change it to no interworking within the group first.

Add instance: First add the drill database to the network disconnection group. At this time, there will be no impact on the business and the operation will be normal.

Add rule: This step is required when the network disconnection drill is actually performed. Add a full blocking rule to the network disconnection group and the incoming one. After adding, the server traffic will be completely cut off.

Delete Rule: After the drill is finished, you need to delete the full blocking rule to resume the business.

If you need to do disaster recovery drills irregularly, just repeat steps 3 and 4.

Enterprise Security Group

The maximum capacity of a traditional security group is 2000 IPs. For larger scale, enterprise groups are required. Enterprise groups support more than 60000 IPs in a single group, and more capacity will be supported in the future.

Typical enterprise group scenarios, such as Alibaba Cloud's Kubernetes Engine ACK or user-built K8s cluster, actually ECS is only used as layer S, and ECS only needs network interconnection. The network access control of containers is not implemented by security groups, but by means of Network Policy. The example in the figure below shows a common deployment method. Two virtual switches are attached to the VPC for cross-region disaster recovery in two Availability Zones, respectively. All instances are placed in a group. No complex rule configuration is required. Interworking within the VPC can be achieved by configuring all-pass in the intranet and all-pass in the outbound direction. Only three rules are configured in the figure below, two all-pass in the inbound direction and one all-pass in the outbound direction. This is a common security group architecture of Kubernetes Engine. If users do not require group authorization and have requirements for instance size within a group, use enterprise security groups. If the current traditional group wants to switch to an enterprise group, there are two ways to do so. The first way is to create a new enterprise group and move instances to the enterprise group one by one by replacing the group. The second way is to help users upgrade the original traditional group to an enterprise group.

Cloud Product Hosting Security Group

When users use cloud products, such as cloud firewalls and NAT gateways, cloud products will create security groups for users. In order to prevent users from misoperating and causing products to be unavailable, managed mode can be adopted. Managed groups can be created by users but not operated to avoid problems.

After reading the above, do you have a better understanding of what are the best practices and new features of the Elastic Computing Security Group in ECS? If you still want to know more knowledge or related content, please pay attention to the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.