Security Groups

Security Groups is a virtual packet filtering firewall that controls the access policies of associated servers by setting rules for the direction of entry and exit of the security group. E.g. control whether the server can be accessed by other networks, and the external resources that the server can access, etc.

Security Groups is a virtual packet filtering firewall that controls the access policy of associated servers by setting rules for the inbound and outbound direction of the security group. E.g. it controls whether the server can be accessed by other networks, and the external resources that the server can access. A server can be associated with multiple security groups (up to 5).

The security group rule policy is strict-in and strict-out by default.

  • Inbound: whitelist mechanism, when no rules are set for the security group, all traffic will be denied access to the server, you need to add security group rules to release the specified network to access the server on the specified port, etc. according to the demand.
  • Outbound direction: blacklist mechanism, the security group outbound direction allows Servers to access any resources by default, you need to add security group rules to control the resources that Servers can access according to your needs.

Security group source

  • Create security groups and rules on the cloud management platform.

  • Synchronization of security groups and rules on other platforms.

    • Cloud to Local: The security group list in the cloud management platform synchronizes the security group and rule information on all docked private and public cloud platforms. After the security groups on the private and public clouds are updated, they will be synchronized to the local security groups.
    • Local to cloud: And the security groups added in the cloud management platform will only be synchronized to the private or public cloud platform if they are bound to the servers of the corresponding private or public cloud platform.

Security group rule effective principle.

Security group rules take effect in private clouds and local IDCs.

  • When a server binds only one security group, the rules in the outbound and inbound directions of the security group are matched according to the priority of the rules, and the rules with high priority are matched first to take effect, and the rules with low priority are matched later to take effect.
    • If the rule with low priority matches the same parameters as the rule with high priority, but the policy is opposite, the rule with low priority does not take effect.
    • If two rules have the same priority and the same rule matching parameters, but opposite policies, the rule with the deny (deny) policy takes effect.
  • When a server binds multiple security groups, the rules in all security groups are listed according to priority in the outbound and inbound directions of the security group respectively. Rules with higher priority take effect by matching first, and rules with lower priority take effect by matching later.
    • If the rule with low priority matches the same parameters as the rule with high priority, but the policies are opposite, the rule with low priority does not take effect.
    • If two rules have the same priority and the same rule matching parameters, but the policies are opposite, the rule with the deny (deny) policy takes effect.

Principle of effective security group in public cloud.

  • When a server in the public cloud binds a security group, the cloud management platform synchronizes the bound security group to the public cloud platform and takes effect according to the matching principle on the public cloud platform.

Entry: In the cloud management platform click on the top left corner of navigation menu, and click “Compute/Networks/Security Groups” menu item in the left menu bar that pops up to enter the Security Groups page.

View security groups list

This function is used to view the list of security groups.

  • Search: Support searching security groups by source/target and port, etc.
  • Rule Preview: Click the number in the rule preview column in the list to expand to view the rule information under the security group.
  • View the servers associated with a security group: Click the number in the Associated Server column in the list to view the servers associated with a security group in the Associated Server dialog box that pops up.

Create Security Group and Rules

The order of adding security groups and rules is generally to create a new security group first, and add the list of rules in the security group in the access direction.

Create Security Group

The cloud management platform currently has three built-in security group templates.

  • Generic Web Server: Create security group rules that release ports 22, 80, 443, 3389 and ICMP protocol.
  • Open all ports: Create security group rules that let all ports through.
  • Customize: No rules are set by default. After the security group is created, users can customize the security group rules.
  1. On the Security Group page, click the “Create” button at the top of the list to bring up the Create dialog box.
  2. Select the specified item, template, set the security group name, and click the “OK” button to complete the creation of the security group.

Batch Append Rules

This function is used to add the same rules for multiple security groups in batch.

  1. Select one or more security groups in the security group list and click the “Batch Append Rules” button to bring up the Batch Append Rules dialog box.
  2. Configure the following parameters.
    • Set the rule direction, including the “Inbound” or “Outbound” direction.
    • Select the type, including Custom, Microsoft Remote Desktop (3389), SSH (22), HTTP (80), HTTPS (443), and ping.
      • When you select the Custom type, you need to custom configure all parameters.
      • When Microsoft Remote Desktop (3389), SSH (22), HTTP (80), HTTPS (443), and ping are selected, the protocol and port number of the rule will be determined automatically (e.g. ping type with ICMP protocol and ALL port). The user only needs to configure the target, policy, and priority.
    • Set the source or target.
      • When creating a rule for the inbound direction, set the source, i.e. the source IP address or CIDR of the accessing server.
      • When creating a rule for the outbound direction, set the target, which is the target IP or CIDR segment accessed by the Server.
      • When checking any IP in the lower right corner, the target is automatically set to 0.0.0.0/0. When setting a single IP, the format is 192.168.0.1, and when setting a CIDR segment, the format is 192.168.1.0/24.
    • Set protocol, currently supported protocols are TCP, UDP, ICMP, any protocol, when choose any protocol, it will match all ports.
    • Set port: you can set any value between 1~65535.
    • Set policy: Including allow and deny.
    • Set priority: you can set any value between 1~100, the higher the value, the higher the priority of the rule, and the priority takes effect.
  3. Click “OK” button to add rules, and add corresponding rules for the security group according to the above operation.

Configure rules

Generally the newly created security group is displayed in the first one by default. You need to set the corresponding rules in the details of the newly created security group. The security group details page is divided into two parts: “Inbound” and “Outbound”. You can control the traffic in the inbound direction and the outbound direction of the server respectively. You can create rules in the inbound direction or outbound direction respectively, and the rules are created in the same way.

Create Rules

  1. On the Security Group page, click the “Configuration Rules” button in the right column of the Security Group to enter the Inbound Direction page.
  2. Click the “Create” button on the “Inbound” or “Outbound” page to bring up the Create Rule dialog box.
  3. Configure the following parameters.
    • Type: Including Custom, Microsoft Remote Desktop (3389), SSH (22), HTTP (80), HTTPS (443), and ping.
      • When you select the Custom type, you need to custom configure all parameters.
      • When Microsoft Remote Desktop (3389), SSH (22), HTTP (80), HTTPS (443), and ping are selected, the protocol and port number of the rule will be determined automatically (e.g. ping type with ICMP protocol and ALL port). Users only need to configure the target, policy, and priority.
    • Source/Target: Set the source (inbound) or target (outbound) of the traffic. Support to select IP address, CIDR and security group.
      • IP address and CIDR: fill in single IP address or select CIDR segment, when check any IP in the lower right corner, the target is automatically set to 0.0.0.0/0. When setting single IP, the format is 192.168.0.1, when setting CIDR segment, the format is 192.168.1.0/24.
      • Security group: Select the security group, the selected security group rules will not be added to the current security group, but the security group bound servers and other resources can be used as the source/target. At present, it only takes effect for Alibaba cloud and Tencent cloud platform.
    • Protocol: currently supported protocols are TCP, UDP, ICMP, any protocol, when choose any protocol, it will match all ports.
    • Port: you can set any value between 1~65535.
    • Strategy: Including allow and deny.
    • Priority: you can set any value between 1~100, the higher the value, the higher the priority of the rule, the priority takes effect.
    • Remarks: set the comment information of the rule.
  4. Click “OK” button to add rules, and add corresponding rules for the security group according to the above operation.

Edit Rule

This function is used to edit existing rules.

  1. On the Security Group page, click the “Configuration Rules” button on the right column of the security group to enter the Entry Direction page.
  2. Click the “Edit” button on the right column of the rules on the “Inbound” or “Outbound” page to bring up the edit dialog box.
  3. Modify the protocol, policy, priority, etc. and click “OK” button to finish the operation.

Clone Rule

This function is used to clone existing rules.

  1. On the Security Group page, click the “Configuration Rules” button on the right column of the security group to enter the Inbound page.
  2. Click the “Clone” button on the right column of the rules on the “Inbound” or “Outbound” page to bring up the Clone Rule dialog box.
  3. Modify the relevant parameters and click the “OK” button to complete the operation.

Delete Rule

This function is used to delete rules. Support single or batch delete rules.

Delete

  1. On the Security Group page, click the “Configuration Rules” button on the right column of the security group to enter the Entry Direction page.
  2. Click the “Delete” button in the action column to the right of the rules on the Inbound or Outbound page to bring up the action confirmation dialog box.
  3. Click the “OK” button to complete the operation.

Batch Delete

  1. On the Security Group page, click the “Configuration Rules” button on the right column of the security group to enter the Entry Direction page.
  2. Select one or more rules in the “Inbound” or “Outbound” page, and click the “Delete” button at the top of the list to bring up the operation confirmation dialog box. Click the “OK” button to complete the operation.

Manage Virtual Machines

This function is used to manage the servers associated with a security group. Security Groups can be associated with multiple servers, and a server can be associated with multiple security groups (up to 5 security groups).

Associate servers

  1. On the Security Groups page, click the “Manage Virtual Machines” button on the right action bar of the security group to enter the Associated Server page.
  2. Click the “Associate Server” button at the top of the list to bring up the Associate Server dialog box.
  3. Select the servers that need to associate security groups (multiple selections are supported), and click the “OK” button to associate security groups to servers.

Unbundle servers

Unbundle

  1. On the Security Groups page, click the “Manage Virtual Machines” button in the right action column of the security group to enter the Associated Server page.
  2. Click the “Unbind” button on the right-hand column of the server to bring up the action confirmation dialog.
  3. Click the “OK” button to complete the operation.

Batch Unbundling

  1. On the Security Groups page, click the “Manage Servers” button on the right action bar of the security group to enter the Associated Servers page.
  2. Select one or more servers in the list and click the “Unbundle” button at the top of the list to bring up the action confirmation dialog.
  3. Click the “OK” button to complete the operation.

Clone

This function creates a security group with identical rules, parameters, etc. based on the current security group.

  1. On the Security Group page, click the “More” button on the right action bar of the security group, and select the “Clone” menu item of the drop-down menu to bring up the Clone dialog box.
  2. Set the name of the cloned security group and click the “OK” button to create a security group with the same rules as the current security group.

Import Security Group Rules

This function is used to import security group rules in batch, and supports importing exported security group rules to the specified security group.

  1. On the security group page, click the “More” button on the right action bar of the security group, and select the drop-down menu “Import Security Group Rules” menu item to bring up the Import Security Group Rules dialog box.
  2. Import security group rules need to follow the pre-set format, please download the template first, in the downloaded export-secgrouprules.xlsx file to supplement the security group rules information, security group in and out of the direction please put in the same sheet page, with in and out to distinguish.
  3. Click the dotted box or drag and drop the export-secgrouprules.xlsx file to the dotted box, click the “OK” button to complete the operation.

Merge Security Groups

This function is used to merge security groups with the same rules into one security group. This function reduces the number of security groups in the list and removes unnecessary security groups. The same rule means that all rules within the security group have the same IP address, port, protocol, direction, etc.

  1. On the Security Groups page, click the “More” button in the action bar on the right side of the security group, and select the drop-down menu “Merge Security Groups” menu item to bring up the Merge Security Groups dialog box.
  2. Enter or select the security groups that can be merged, and click the “OK” button to merge the security groups into one and delete the mergeable security groups.

Change Project

This function is used to change the item to which a security group belongs.

  1. On the Security Groups page, click the “More” button on the right action bar of the security group, and select the drop-down menu “Change Project” menu item to bring up the Change Project dialog box.
  2. Set the domain and item, click “OK” button.

Set Up Sharing

This function is used to set the sharing scope of a secure group.

There are five types of sharing scopes for project resources.

  • No sharing (private): I.e. project resources can be used only by users of this project.
  • Project sharing-part (shared by multiple projects in this domain): I.e. project resources can be shared to specified projects (one or more) under the same domain, and only users under this project and the shared project can use the project resources.
  • Project Sharing-All (shared by this domain): I.e. project resources can be shared to all projects under the domain, i.e. all users of the project’s domain can use the project resources.
  • Domain sharing-part (Multiple Domains sharing): I.e. project resources can be shared to the specified domain (one or more), and only users under the domain where the project resources are located and the shared domain can use the project resources.
  • Domain Share-All (Global share): I.e. project resources can be shared to all domains, i.e. all users in the system can use project resources.

security group set up sharing.

  1. On the Security Groups page, click the “More” button on the right action bar of the security group and select the drop-down menu “Set as Shared” menu item to bring up the Set as Shared dialog box.
  2. Configure the following parameters.
    • When “No Sharing” is selected as the sharing scope, the sharing scope of project resources is private and only users of this project can use them.
    • When the sharing scope is selected as “Project Sharing”, you need to select the projects that can be shared under this domain.
      • When the project selects one or more projects under the same domain, the shared scope of the project resources is Project Shared - Part, and only the users under the project where the project resources are located and the shared project can use the project resources.
      • When All is selected for the project, the shared scope of the project resource is Project Shared - All, and all users under the project’s domain can use the project resource.
    • When the sharing scope is “Domain Sharing”, you need to select the shared domains.
      • When one or more of the domains is selected, the sharing scope of the project resources is Domain Sharing - Partial, and only the users under the domain where the project resources are located and the shared domain can use the domain resources.
      • When All is selected for the domain, the sharing scope of the project resource is Domain Shared-All, and all users in the system can use the project resource.
  3. Click the “OK” button to complete the operation.

Batch set up sharing

  1. Select one or more security groups in the Security Groups list and click the “Set up sharing” button at the top of the list to bring up the Set up sharing dialog box.
  2. Configure the following parameters.
    • When the sharing scope is selected as “No Sharing”, the sharing scope of project resources is private and only users of this project can use it.
    • When the sharing scope is selected as “Project Sharing”, you need to select the projects that can be shared under this domain.
      • When the project selects one or more projects under the same domain, the shared scope of the project resources is Project Shared - Part, and only the users under the project where the project resources are located and the shared project can use the project resources.
      • When All is selected for the project, the shared scope of the project resource is Project Shared - All, and all users under the project’s domain can use the project resource.
    • When the sharing scope is “Domain Sharing”, you need to select the shared domains.
      • When one or more of the domains is selected, the sharing scope of the project resources is Domain Sharing - Partial, and only the users under the domain where the project resources are located and the shared domain can use the domain resources.
      • When All is selected for the domain, the sharing scope of the project resource is Domain Shared-All, and all users in the system can use the project resource.
  3. Click the “OK” button to complete the operation.

Delete

This function is used to delete a security group. When the security group associated instance is not 0, the security group is not allowed to be deleted.

Delete Individual

  1. On the Security Group page, click the “More” button on the right action bar of the security group, select the drop-down menu “Delete” menu item, and the action confirmation dialog box pops up.
  2. Click the “OK” button to complete the operation.

Batch Delete

  1. Select one or more security groups in the security group list, and click the “Delete” button at the top of the list to bring up the operation confirmation dialog box.
  2. Click the “OK” button to complete the operation.

View Security Group Details

This function is used to view the security group details.

  1. On the Security Group page, click the Security Group Name item to enter the Security Group Details page.
  2. The menu item at the top of the details page supports the management operations of security groups.
  3. View the Cloud ID, ID, name, status, domain, project, share range, associated Servers, cache copies, share range, created at, updated at, notes, etc. of the security group.

View the list of associated servers

This function is used to view the list of servers associated with a security group, and supports unassociated servers.

In the security group details page, click the “Associated Servers” tab to enter the list of associated Servers. Unassociate servers: This function is used to unassociate a security group from a server. Click the “Unbind” button on the right side of the server to bring up the action confirmation dialog box. 2. Click the “OK” button to complete the operation.

Viewing the cache list

There are two sources of cache list.

  • When creating a private/public cloud platform server using a security group on OneCloud platform, a cache record with the same name will be generated for each platform.
  • When synchronizing security groups on private/public cloud platforms, security groups with the same rules as local security groups will be merged and a cache record with the same name as the private/public cloud platform will be generated in the corresponding security group cache list, if not, a new security group with the same name will be created on OneCloud platform.
  1. On the security group details page, click the “Cache List” tab to enter the cache page page.
  2. View the cache list information of the security group, including the security group name, status, created at, updated at, VPC, platform, region, and cloud account.
  3. Support delete operation for security group cache, after deleting cache on cloud management platform, the corresponding security group on public/private cloud platform will be deleted simultaneously.

View operation log

This function is used to view the log information of security group related operations.

  1. On the security group details page, click the Operation Log tab to enter the Operation Log page.
    • Load More Logs: In the Operation Logs page, the list shows 20 operation logs by default. To view more operation logs, please click the “Load More” button to get more logs.
    • View Log Details: Click the “View” button on the right column of the operation log to view the log details. Copy details are supported.
    • View logs of specified time period: If you want to view the operation logs of a certain time period, set the specific date in the start date and end date at the top right of the list to query the log information of the specified time period.
    • Export logs: Currently, only the logs displayed on this page are supported to be exported. Click the upper-right corner of icon, set the export data column in the pop-up export data dialog, and click the “OK” button to export the logs.