How to authorize and revoke security group rules and join and leave security groups

The content this article brings to you is about how to authorize, revoke security group rules, and join and leave security groups. It has certain reference value. Friends in need can refer to it. I hope it will be helpful to you.

This article will introduce the following contents of the security group:

Authorization and revocation of security group rules.

Join security group and leave security group.

Alibaba Cloud's network types are divided into classic network and VPC. They support different setting rules for security groups:

If it is a classic network, you can set the following rules: Intranet access direction, intranet outbound direction, public network inbound direction and public network outbound direction.

If it is a VPC network, you can set: inbound direction and outbound direction.

Concepts of security group intranet communication

Before starting this article, you should know the following concepts of security group intranet communication:

By default, only ECS instances in the same security group can communicate with each other over the network. Even if the ECS instances under the same account belong to different security groups, the intranet network will not be accessible. This applies to both classic and VPC networks. Therefore, the ECS instances of the classic network are also intranet-safe.

If you have two ECS instances that are not in the same security group, and you hope that they cannot communicate with each other on the intranet, but in fact they do, then you need to check the intranet rule settings of your security group . If the following protocols exist in the intranet protocol, it is recommended that you reset them.

Allow all ports;

The authorization object is the CIDR network segment (SourceCidrIp): 0.0.0.0/0 or 10.0.0.0/8 rule.

If it is a classic network, the above protocol will cause your intranet to be exposed to other access.

If you want to achieve network communication between resources in different security groups, you should use security group authorization. For intranet access, you should use source security group authorization instead of CIDR segment authorization.

Attributes of security rules

Security rules mainly describe different access rights, including the following attributes:

Policy: Authorization policy, parameter value can be accept (accept) or drop (reject).

Priority: Priority, sort matches in descending order according to the creation time of the security group rules. The optional range of rule priority is 1-100, and the default value is 1, which is the highest priority. The higher the number, the lower the priority.

NicType: Network type. If only SourceGroupId is specified without SourceCidrIp, it means authorization is done through the security group. In this case, NicType must be specified as intranet.

Rule description:

IpProtocol: IP protocol, value: tcp | udp | icmp | gre | all. all means all protocols.

PortRange: IP protocol-related port number range:

When IpProtocol is tcp or udp, the port number range is 1~65535, and the format must be "starting port number/ "Termination port number", such as "1/200" means that the port number range is 1~200. If the input value is "200/1", the interface call will report an error.

When the IpProtocol value is icmp, gre or all, the port number range is -1/-1, which means no port restriction.

If authorized through a security group, SourceGroupId, which is the source security group ID, should be specified. At this time, depending on whether to authorize across accounts, you can choose to set the account SourceGroupOwnerAccount to which the source security group belongs;

If authorized through CIDR, you should specify SourceCidrIp, that is, the source IP address segment, which must use CIDR format.

Authorize a network access request rule

When creating a security group in the console or through API, the network access direction defaults to deny all, which is the default situation Next you deny all network access requests. This doesn't apply in every situation, so you'll want to configure your access rules appropriately.

For example, if you need to open port 80 of the public network to provide HTTP services to the outside world, because it is a public network access, you want to access the network as much as possible, so there should be no restrictions on the IP network segment. You can set it to 0.0.0.0/0. For specific settings, please refer to the following description. The console parameters are outside the brackets and the OpenAPI parameters are inside the brackets. If they are the same, no distinction will be made.

Network card type (NicType): public network (internet). If it is a VPC type, you only need to fill in intranet and achieve public network access through EIP.

Authorization policy (Policy): allow (accept).

Rule direction (NicType): into the network.

Protocol type (IpProtocol): TCP (tcp).

Port range (PortRange): 80/80.

Authorization object (SourceCidrIp): 0.0.0.0/0.

Priority: 1.

Note: The above suggestions are only valid for public networks. It is not recommended to use CIDR network segments for intranet requests. Please refer to the intranet security group rules of classic networks. Do not use CIDR or IP authorization.

Ban an incoming request rule

When banning a rule, you only need to configure a deny policy and set a lower priority. Can. In this way, you can configure other high-priority rules to override this rule when necessary. For example, you can use the following settings to deny access to port 6379.

Network card type (NicType): intranet.

Authorization Policy (Policy): Deny (drop).

Rule direction (NicType): into the network.

Protocol type (IpProtocol): TCP (tcp).

Port Range (PortRange): 6379/6379.

Authorization object (SourceCidrIp): 0.0.0.0/0.

Priority: 100.

Do not use CIDR or IP authorization for intranet security group rules of classic networks

For ECS instances of classic networks, Alibaba Cloud does not enable it by default Access rules for any intranet. You must be careful when authorizing the intranet.

For security reasons, it is not recommended to enable any authorization based on CIDR network segments.

For elastic computing, the IP of the intranet changes frequently. In addition, the network segment of this IP is irregular. Therefore, for the intranet of the classic network, it is recommended that you authorize access to the intranet through the security group. .

For example, you have built a redis cluster on the security group sg-redis. In order to only allow specific machines (such as sg-web) to access this redis server group, you do not need to configure any CIDR. You need to add an entry rule: just specify the relevant security group ID.

Network card type (NicType): intranet.

Authorization policy (Policy): allow (accept).

Rule direction (NicType): into the network.

Protocol type (IpProtocol): TCP (tcp).

Port Range (PortRange): 6379/6379.

Authorization object (SourceGroupId): sg-web.

Priority: 1.

For VPC type instances, if you have planned your own IP range through multiple VSwitches, you can use CIDR settings as security group entry rules; however, if your VPC network segment is not clear enough, it is recommended that you Prioritize using security groups as entry rules.

Add the ECS instances that need to communicate with each other to the same security group

An ECS instance can join up to 5 security groups, and the same security group ECS instances in the group are interconnected over the network. If you already have multiple security groups during planning, and it is too complex to directly set multiple security rules, you can create a new security group and then add the ECS instances that require intranet communication to this new security group.

Security groups differentiate between network types. An ECS instance of the classic network type can only join the security group of the classic network; a VPC type ECS instance can only join the security group of this VPC.

It is not recommended that you add all ECS instances to a security group, which will make your security group rule settings a nightmare. For a medium to large application, each server group has different roles. It is very necessary to reasonably plan the inbound and outbound requests of each server.

On the console, you can add an instance to a security group as described in the document Join Security Group.

If you are very familiar with Alibaba Cloud's OpenAPI, you can refer to Using OpenAPI to elastically manage ECS instances and perform batch operations through OpenAPI. The corresponding Python snippet is as follows.

def join_sg(sg_id, instance_id):
    request = JoinSecurityGroupRequest()
    request.set_InstanceId(instance_id)
    request.set_SecurityGroupId(sg_id)
    response = _send_request(request)
    return response
# send open api request
def _send_request(request):
    request.set_accept_format('json')
    try:
        response_str = clt.do_action(request)
        logging.info(response_str)
        response_detail = json.loads(response_str)
        return response_detail
    except Exception as e:
        logging.error(e)

Remove the ECS instance from the security group

If the ECS instance is added to an inappropriate security group, your service will be exposed or blocked. , then you can choose to remove the ECS instance from this security group. But before removing the security group, you must ensure that your ECS instance has joined other security groups.

Note: Moving an ECS instance out of a security group will cause the ECS instance to be disconnected from the network in the current security group. It is recommended that you conduct sufficient testing before moving out.

The corresponding Python snippet is as follows.

def leave_sg(sg_id, instance_id):
    request = LeaveSecurityGroupRequest()
    request.set_InstanceId(instance_id)
    request.set_SecurityGroupId(sg_id)
    response = _send_request(request)
    return response
# send open api request
def _send_request(request):
    request.set_accept_format('json')
    try:
        response_str = clt.do_action(request)
        logging.info(response_str)
        response_detail = json.loads(response_str)
        return response_detail
    except Exception as e:
        logging.error(e)

Define reasonable security group names and labels

Reasonable security group names and descriptions help you quickly identify current complex rules combination. You can help yourself identify the security group by modifying the name and description.

You can also manage your own security groups by setting label groups for security groups. You can set labels directly in the console or through the API.

Delete unnecessary security groups

The security rules in a security group are similar to whitelists and blacklists. Therefore, please do not retain unnecessary security groups to avoid unnecessary trouble caused by mistakenly joining an ECS instance.

The above is the detailed content of How to authorize and revoke security group rules and join and leave security groups. For more information, please follow other related articles on the PHP Chinese website!