Shulou(Shulou.com)06/02 Report--

This article will explain in detail the method of configuring security group access rules for you. The editor thinks it is very practical, so I share it with you as a reference. I hope you can get something after reading this article.

The cloud security group provides a virtual firewall-like function, which is used to set network access control for single or multiple ECS instances, which is an important means of security isolation. When you create an ECS instance, you must select a security group. You can also add security group rules to control the outbound and inbound directions of all ECS instances under a security group.

This article mainly introduces how to configure the network access rules of security groups.

Information related to security groups

Before configuring the network entry rules for security groups, you should already know the following information about security groups:

Security group restrictions

Security group default rules

Set access permissions for the In direction of the security group

Set access permissions for the Out direction of the security group

Basic recommendations for Security Group practice

Before starting the practice of security groups, here are some basic suggestions:

The most important rule: security groups should be used as whitelists.

Open application of access rules should follow the principle of "minimum authorization". For example, you can choose to open specific ports (such as port 80).

One security group should not be used to manage all applications, because different tiers must have different requirements.

For distributed applications, different application types should use different security groups. For example, you should use different security groups for Web, Service, Database and Cache layers to expose different access rules and permissions.

There is no need to set up a separate security group for each instance to control administrative costs.

VPC network is preferred.

Public network IP should not be provided for resources that do not require public network access.

Keep the rules of a single security group as concise as possible. Because an instance can join up to 5 security groups, and a security group can include up to 100 security group rules, hundreds of security group rules may be applied to an instance at the same time. You can aggregate all assigned security rules to determine whether inflows or departures are allowed, but if a single security group rule is complex, it increases the complexity of management. Therefore, you should keep the rules of a single security group as concise as possible.

Adjusting the entry and exit rules of online security groups is a dangerous move. If you are not sure, you should not update the settings of the security group access rules at will. Aliyun's console provides the ability to clone security groups and security group rules. If you want to modify online security groups and rules, you should first clone a security group and then debug on the cloned security group to avoid directly affecting the online application.

Set network access rules for security groups

The following are practical recommendations for the network access rules of security groups.

Do not use the entry rule of 0.0.0.0amp 0

Allowing all access to the network is a common mistake. Using 0.0.0.0Uniple 0 means that all ports are exposed to access. This is very unsafe. The right thing to do is to deny all ports to the public first. The security group should be accessed by whitelist. For example, if you need to expose Web services, only common TCP ports such as 80, 8080, and 443 can be opened by default, and all other ports should be closed.

{"IpProtocol": "tcp", "FromPort": "80", "ToPort": "80", "SourceCidrIp": "0.0.0.0 Policy", "Policy": "accept"}, {"IpProtocol": "tcp", "FromPort": "8080", "ToPort": "8080", "SourceCidrIp": "0.0.0.0Uniple", "Policy": "accept"} {"IpProtocol": "tcp", "FromPort": "443", "ToPort": "443", "SourceCidrIp": "0.0.0.0 accept 0", "Policy": "accept"}

Turn off unwanted access rules

If the entry rule you are currently using already contains 0.0.0.0 Universe 0, you need to re-examine the ports and services that your application needs to expose. If you are sure that you do not want certain ports to provide services directly to the outside world, you can add a reject rule. For example, if you have MySQL database service installed on your server, you should not expose port 3306 to the public network by default. At this point, you can add a reject rule, as shown below, and set its priority to 100. that is, the lowest priority.

{"IpProtocol": "tcp", "FromPort": "3306", "ToPort": "3306", "SourceCidrIp": "0.0.0.0 SourceCidrIp", "Policy": "drop", Priority: 100}

The above adjustment will prevent all ports from accessing port 3306, which is likely to prevent your normal business needs. At this point, you can access the rules by authorizing the resources of another security group.

Authorize another security group to access the network

Different security groups open corresponding access rules in accordance with the principle of minimization. Different security groups should be used for different application layering, and different security groups should have corresponding entry and exit rules.

For example, if it is a distributed application, you will distinguish between different security groups, but different security groups may not be connected to the network. Instead of directly authorizing IP or CIDR network segments, you should directly authorize all resources of another security group, ID, to be directly accessible. For example, your application creates different security groups for Web and Database: sg-web and sg-database. In sg-database, you can add the following rule to authorize the resources of all sg-web security groups to access your port 3306.

{"IpProtocol": "tcp", "FromPort": "3306", "ToPort": "3306", "SourceGroupId": "sg-web", "Policy": "accept", Priority: 2}

Authorize another CIDR to access the network

In the classic network, because the network segment is not very controllable, it is recommended that you use the security group ID to grant credit to the network entry rules.

In the VPC network, you can set up different IP domains through different VSwitch and plan the IP address. Therefore, in the VPC network, you can deny all access by default, then give credit to the network segment of your own private network, and directly to the CIDR network segment that you can trust.

{"IpProtocol": "icmp", "FromPort": "- 1", "ToPort": "- 1", "SourceCidrIp": "10.0.0.0 Priority 24", Priority: 2}, {"IpProtocol": "tcp", "FromPort": "0", "ToPort": "65535", "SourceCidrIp": "10.0.0.0ToPort 24", Priority: 2} {"IpProtocol": "udp", "FromPort": "0", "ToPort": "65535", "SourceCidrIp": "10.0.0.0 Priority 24", Priority: 2}

Steps and instructions for changing security group rules

Changing security group rules may affect network communication between your instances. To ensure that the necessary network traffic is not affected, you should try the following methods to release the necessary instances before implementing security group policy tightening changes.

Note: after implementing the tightening changes, you should observe for a period of time to confirm that the business application is not abnormal before making other necessary changes.

Create a new security group, add the instances that require interconnection access to the security group, and then perform the change operation.

If the authorization type is security group access, the security group ID bound to the peer instance that requires interconnection access is added as the authorization object

If the authorization type is address range access, the private network IP of the peer instance that requires interconnection access is added as the authorization object.

This is the end of the method of configuring security group access rules. I hope the above content can be helpful to everyone and learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.