Shulou(Shulou.com)06/02 Report--

This article shares with you the methods of authorizing and revoking security group rules. The editor thought it was very practical, so I shared it with you as a reference. Let's follow the editor and have a look.

This article will introduce the following contents of security groups:

Authorize and revoke security group rules.

Join and leave the security group.

The network type of Aliyun is divided into classic network and VPC, which support different setting rules for security groups:

If it is a classic network, you can set the following rules: private network inbound direction, private network outbound direction, public network inbound direction and public network outbound direction.

If it is a VPC network, you can set: in direction and out direction.

The concept of Security Group Intranet Communication

Before the beginning of this article, you should be aware of the following concepts of security group intranet communication:

By default, only ECS instances of the same security group can communicate with each other over the network. Even for ECS instances under the same account, if they belong to different security groups, the private network will not work. This applies to both classic and VPC networks. Therefore, the ECS instance of the classic network is also intranet secure.

If you have two ECS instances that are not in the same security group, and you want their private networks not to be interconnected, but in fact they are, you need to check the private network rule settings of your security group. If the following protocol exists in the intranet protocol, it is recommended that you reset it.

Allow all ports

The authorization object is the rule of CIDR segment (SourceCidrIp): 0.0.0.0amp 0 or 10.0.0.0amp 8.

If it is a classic network, the above protocol will cause your intranet to be exposed to other access.

If you want to achieve network interworking between resources of different security groups, you should use security group authorization. For private network access, you should use source security group authorization instead of CIDR network segment authorization.

Properties of security rules

Security rules mainly describe different access rights, including the following attributes:

Policy: authorization policy. Parameter values can be accept (accept) or drop (reject).

Priority: priority, sorted and matched in descending order according to the creation time of the security group rules. The optional range of rule priority is 1-100, and the default value is 1, which is the highest priority. A higher number means a lower priority.

NicType: network type. If only SourceGroupId is specified and no SourceCidrIp is specified, it means that it is authorized through a security group, and NicType must be specified as intranet.

Rule description:

IpProtocol:IP protocol. Value: tcp | udp | icmp | gre | all. All represents all protocols.

Range of port numbers related to PortRange:IP protocol:

When the value of IpProtocol is tcp or udp, the range of port number is 1x65535, and the format must be "start port number / termination port number". For example, "1gam200" means the port number range is 1x200. If the input value is "200gam1", the interface call will report an error.

When the value of IpProtocol is icmp, gre or all, the range of port number is-1, which means that the port is not restricted.

If authorized by the security group, specify SourceGroupId, that is, the source security group ID. At this point, depending on whether to grant cross-account authorization, you can choose to set the account SourceGroupOwnerAccount to which the source security group belongs.

If authorized by CIDR, you should specify SourceCidrIp, the source IP address field, which must be in CIDR format.

Authorize a request rule for joining the network

When you create a security group in the console or through API, the network access direction defaults to deny all, that is, you reject all requests for joining the network by default. This does not apply in all cases, so you should configure your network rules appropriately.

For example, if you need to enable port 80 of the public network to provide HTTP services, and you want to access as many users as possible, you should not impose restrictions on the IP IP address range. You can set it to 0.0.0.0amp 0. For specific settings, please refer to the following description. The parameter outside the parenthesis is the console parameter and the parameter inside the parenthesis is the OpenAPI parameter. There is no distinction between the two.

Network card type (NicType): public network (internet). If it is of VPC type, you only need to enter intranet and access the public network through EIP.

Authorization policy (Policy): allow (accept).

Rule direction (NicType): access to the network.

Protocol type (IpProtocol): TCP (tcp).

Port range (PortRange): 80 Compact 80.

Authorization object (SourceCidrIp): 0. 0. 0.

Priority (Priority): 1.

Note: the above recommendations are valid only for public networks. CIDR IP address range is not recommended for private network requests. Please refer to the private network security group rules of classic network and do not use CIDR or IP authorization.

Prohibit a request rule for joining the network

When you disable a rule, you only need to configure a deny policy and set a lower priority. This way, you can configure other high-priority rules to override this rule when necessary. For example, you can use the following settings to deny access to port 6379.

Network card type (NicType): internal network (intranet).

Authorization policy (Policy): deny (drop).

Rule direction (NicType): access to the network.

Protocol type (IpProtocol): TCP (tcp).

Port range (PortRange): 6379. 6379.

Authorization object (SourceCidrIp): 0. 0. 0.

Priority (Priority): 100.

CIDR or IP authorization should not be used in the intranet security group rules of classic networks.

For ECS instances of classic networks, Aliyun does not enable any private network entry rules by default. The authorization of intranet must be cautious.

For security reasons, it is not recommended to turn on any authorization based on CIDR network segment.

For elastic computing, the IP of the private network changes frequently. In addition, the network segment of this IP is irregular. Therefore, for the private network of the classic network, it is recommended that you authorize access to the private network through the security group.

For example, if you build a redis cluster on the security group sg-redis, in order to allow only specific machines (such as sg-web) to access the server marshalling of this redis, you do not need to configure any CIDR, just add an entry rule: specify the relevant security group ID.

Network card type (NicType): internal network (intranet).

Authorization policy (Policy): allow (accept).

Rule direction (NicType): access to the network.

Protocol type (IpProtocol): TCP (tcp).

Port range (PortRange): 6379. 6379.

Authorization object (SourceGroupId): sg-web.

Priority (Priority): 1.

For an instance of VPC type, if you have planned your IP range through multiple VSwitch, you can use CIDR setting as the security group rule. However, if your VPC IP address range is not clear enough, it is recommended that you give priority to using security group as the entry rule.

Join ECS instances that need to communicate with each other into the same security group

An ECS instance can join up to 5 security groups, and ECS instances in the same security group are interconnected with each other. If you already have multiple security groups when you plan, and if it is too complicated to set multiple security rules directly, you can create a new security group, and then add the ECS instance that needs private network communication to the new security group.

Security groups distinguish between network types. An ECS instance of classic network type can only join the security group of classic network; an ECS instance of VPC type can only join the security group of this VPC.

It is also not recommended that you join all ECS instances into a security group, which will make your security group rule settings a nightmare. For a medium and large application, the role of each server grouping is different, so it is necessary to plan the inbound and outbound requests of each server reasonably.

On the console, you can add an instance to the security group according to the description of the document joining the security group.

If you are familiar with Aliyun's OpenAPI, you can use OpenAPI to flexibly manage ECS instances and operate in batches through OpenAPI. The corresponding Python fragments are as follows.

Def join_sg (sg_id Instance_id): request = JoinSecurityGroupRequest () request.set_InstanceId (instance_id) request.set_SecurityGroupId (sg_id) response = _ send_request (request) return response# send open api requestdef _ send_request (request): request.set_accept_format ('json') try: response_str = clt.do_action (request) logging.info (response_str) response_detail = json. Loads (response_str) return response_detail except Exception as e: logging.error (e)

Remove the ECS instance from the security group

If the ECS instance joins an inappropriate security group, your service will be exposed or Block, and you can choose to remove the ECS instance from this security group. However, you must make sure that your ECS instance has joined another security group before removing the security group.

Note: removing the ECS instance from the security group will result in the disconnection between the ECS instance and the network within the current security group. It is recommended that you do sufficient testing before removing the instance.

The corresponding Python fragments are as follows.

Def leave_sg (sg_id Instance_id): request = LeaveSecurityGroupRequest () request.set_InstanceId (instance_id) request.set_SecurityGroupId (sg_id) response = _ send_request (request) return response# send open api requestdef _ send_request (request): request.set_accept_format ('json') try: response_str = clt.do_action (request) logging.info (response_str) response_detail = json. Loads (response_str) return response_detail except Exception as e: logging.error (e)

Define reasonable security group names and labels

A reasonable security group name and description can help you quickly identify current complex rule combinations. You can help you identify the security group by changing the name and description.

You can also manage your own security groups by setting labels for security groups. You can set tags either directly in the console or through API.

Delete unwanted security groups

The security rules in a security group are similar to whitelists and blacklists. Therefore, do not keep unwanted security groups, so as to avoid unnecessary trouble caused by mistakenly joining an ECS instance.

Thank you for reading! The method of authorization and revocation of security group rules is shared here. I hope the above content can be helpful to you, so that you can learn more knowledge. If you think the article is good, you can share it and let more people see it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.