How to configure the network access rules of the security group and security group-related information

This article introduces how to configure the network access rules of the security group and the information related to the security group, and focuses on the specific steps. The content of this article is very compact, and I hope you will study patiently.

The cloud security group provides a virtual firewall-like function, which is used to set network access control for single or multiple ECS instances. It is an important means of security isolation. When creating an ECS instance, you must select a security group. You can also add security group rules to control the outbound and inbound network of all ECS instances under a certain security group.

This article mainly introduces how to configure the network access rules of the security group.

Security group related information

Before configuring the network access rules of the security group, you should already know the following security group related information:

Security group restrictions

Security group default rules

Set the access permissions of the security group in the In direction

Set the access permissions of the security group in the Out direction

Basic suggestions for security group practice

Before starting the practice of security group, here are some basic suggestions:

The most important Rule: Security groups should be used as whitelists.

When opening application access rules, you should follow the "minimum authorization" principle. For example, you can choose to open a specific port (such as port 80).

One security group should not be used to manage all applications, because different layers must have different requirements.

For distributed applications, different application types should use different security groups. For example, you should use different security groups for the Web, Service, Database, and Cache layers to expose different access rules and permissions.

There is no need to set up a separate security group for each instance to control management costs.

Prioritize VPC networks.

Resources that do not require public network access should not provide public network IP.

Keep the rules of a single security group as simple as possible. Because an instance can join up to 5 security groups and a security group can include up to 100 security group rules, an instance may have hundreds of security group rules applied at the same time. You can aggregate all assigned security rules to determine whether to allow inflow or stayout, but if the individual security group rules are complex, it increases management complexity. Therefore, keep the rules for a single security group as simple as possible.

Adjusting the entry and exit rules of the online security group is a relatively dangerous action. If you are unsure, you should not update the security group access rule settings. Alibaba Cloud's console provides the function of cloning security groups and security group rules. If you want to modify online security groups and rules, you should first clone a security group and then debug on the cloned security group to avoid directly affecting online applications.

Set the network access rules of the security group

The following are practical suggestions for the network access rules of the security group.

Do not use the network access rule of 0.0.0.0/0

It is a common mistake to allow all network access. Using 0.0.0.0/0 means that all ports are exposed to the outside world. This is very unsafe. The correct approach is to first deny all ports from being opened to the outside world. Security groups should be whitelisted for access. For example, if you need to expose a web service, you can only open common TCP ports such as 80, 8080, and 443 by default, and keep other ports closed.

  { "IpProtocol" : "tcp", "FromPort" : "80", "ToPort" : "80", "SourceCidrIp" : "0.0.0.0/0", "Policy": "accept"} ,
  { "IpProtocol" : "tcp", "FromPort" : "8080", "ToPort" : "8080", "SourceCidrIp" : "0.0.0.0/0", "Policy": "accept"} ,
   { "IpProtocol" : "tcp", "FromPort" : "443", "ToPort" : "443", "SourceCidrIp" : "0.0.0.0/0", "Policy": "accept"} ,

Close unnecessary network access rules

If the access rules you are currently using already include 0.0.0.0/0, you need to re-examine your application needs to be exposed to the outside world Exposed ports and services. If you are sure that you do not want certain ports to directly provide services to the outside world, you can add a deny rule. For example, if the MySQL database service is installed on your server, you should not expose port 3306 to the public network by default. At this time, you can add a deny rule as shown below and set its priority to 100. That is, the lowest priority.

{ "IpProtocol" : "tcp", "FromPort" : "3306", "ToPort" : "3306", "SourceCidrIp" :
          "0.0.0.0/0", "Policy": "drop", Priority: 100} ,

The above adjustments will cause all ports to be unable to access port 3306, which will most likely prevent your normal business needs. At this time, you can authorize resources in another security group for incoming rule access.

Authorize another security group to access the network

Different security groups open corresponding access rules according to the minimum principle. Different security groups should be used for different application layers, and different security groups should have corresponding access rules.

For example, if it is a distributed application, you will distinguish different security groups. However, different security groups may not have access to the network. At this time, you should not directly authorize the IP or CIDR network segment, but directly authorize another All resources of a security group ID can be accessed directly. For example, your application creates different security groups for Web and Database: sg-web and sg-database. In sg-database, you can add the following rules to authorize all resources of the sg-web security group to access your 3306 port.

  { "IpProtocol" : "tcp", "FromPort" : "3306", "ToPort" : "3306", "SourceGroupId" : "sg-web", "Policy": 
               "accept", Priority: 2} ,

Authorize another CIDR to access the network

In a classic network, because the network segment is not controllable, it is recommended that you use the security group ID to authorize network access rules.

VPC 网络中，您可以自己通过不同的 VSwitch 设置不同的 IP 域，规划 IP 地址。所以，在 VPC 网络中，您可以默认拒绝所有的访问，再授信自己的专有网络的网段访问，直接授信可以相信的 CIDR 网段。

    { "IpProtocol" : "icmp", "FromPort" : "-1", "ToPort" : "-1", "SourceCidrIp" : "10.0.0.0/24", Priority: 2} ,
     { "IpProtocol" : "tcp", "FromPort" : "0", "ToPort" : "65535", "SourceCidrIp" : "10.0.0.0/24", Priority: 2} ,
    { "IpProtocol" : "udp", "FromPort" : "0", "ToPort" : "65535", "SourceCidrIp" : "10.0.0.0/24", Priority: 2} ,

变更安全组规则步骤和说明

变更安全组规则可能会影响您的实例间的网络通信。为了保证必要的网络通信不受影响，您应先尝试以下方法放行必要的实例，再执行安全组策略收紧变更。

注意：执行收紧变更后，应观察一段时间，确认业务应用无异常后再执行其它必要的变更。

新建一个安全组，将需要互通访问的实例加入这个安全组，再执行变更操作。

如果授权类型为 安全组访问，则将需要互通访问的对端实例所绑定的安全组 ID 添加为授权对象；

如果授权类型为 地址段访问，则将需要互通访问的对端实例内网 IP 添加为授权对象。

The above is the detailed content of How to configure the network access rules of the security group and security group-related information. For more information, please follow other related articles on the PHP Chinese website!