Security Group

A security group provides L3 network security controls over VM instances, and controls TCP, UDP, and ICMP data packets for effective filtering. You can use a security group to effectively control specified VM instances on specified networks according to specified security rules.
  • Flat networks, vRouter networks, and VPC support the security group service. The security group service is provided by the security group network service module. By using iptables, you can perform security controls over VM instances. This method also applies to flat networks, vRouter networks, and VPC.
  • A security group is actually a distributed firewall. When you modify a rule, or when you add or delete a NIC, note that firewall rules in VM instances are updated as well.
Security group rule:
  • A security group rule has the following two types of traffic according the direction of data packets:
    • Ingress: Represents inbound data packets that access a VM instance.
    • Egress: Represents outbound data packets that are sent from a VM instance.
  • A security group rule supports the following protocol types:
    • ALL: Includes all protocol types, indicating that you cannot specify a port.
    • TCP: Supports ports 1-65535.
    • UDP: Supports ports 1-65535.
    • ICMP: By default, both the start port and end port are all -1, indicating that all ICMP protocols are supported.
  • A security group rule can limit data sources that comes either from inside or outside of VM instances. Currently, sources can be set as source CIDR or source security group.
    • Source CIDR: Allows only the specified CIDR.
    • Source security group: Allows only the VM instances in a specified security group.
    Note: If you set both CIDR and the security group, note that only the intersection of them can take effect.
A security group topology is shown in Figure 1.
Figure 1. Security Group


Security Group Usage

The basic workflow of using a security group is as follows: Select an L3 network, set the corresponding security group rule, and add specified VM instances to the rule.

Create Security Group

In the navigation pane of the ZStack Private Cloud UI, choose Network Service > Security Group. On the Security Group page, click Create Security Group. On the displayed Create Security Group page, set the following parameters:
  • Name: Enter a name for the security group.
  • Description: Optional. Enter a description for the security group.
  • Network: Select an existing L3 network. Different types of L3 network are supported, including public network, private network, and VPC network.
    Note: You can add more than one L3 network of the same type at a time, but cannot add multiple L3 networks of different types.
  • Rule: Optional. You can set a security group rule when or after you create a security group.
  • NIC: Optional. Select a VM instance to add its NIC to the security group. You can add a VM NIC when or after you create a security group.
Click OK to finish creating a security group, as shown in Figure 2.
Figure 2. Create Security Group


Set Security Group Rule

Assume that you set a security group rule directly when you create a security group. On the Create Security Group page, click the Plus sign (+) in the Rule section. On the displayed Set Rules page, set the following parameters:
  • Type: Select the type (direction) of the security group rule, for example, ingress.
  • Protocol: Select a protocol, for example, TCP.
  • Start Port: Enter a port between 1 and 65535 as the start port, for example, 23.
  • End Port: Enter a port between 1 and 65535 as the end port, for example, 1024.
  • IP Address Type: Select an IP address type. Options: IPv4 | IPv6.
  • CIDR: Optional. If specified, only the specified CIDR is allowed.
  • Source Security Group: Optional. If specified, only VM instances in the specified security group are allowed.
You can set a rule for a security group, as shown in Figure 3.
Figure 3. Set Rule


Add VM NIC to Security Group

Assume that you add a VM NIC directly when you create a security group. On the Create Security Group page, click the Plus sign (+) in the NIC section. On the displayed Select NIC page, select the target VM instance.

You can add VM NICs to a security group, as shown in Figure 4.
Figure 4. Add VM NIC to Security Group


Security Group Operations

You can perform the following operations on a security group.
  • Enable: Enable the security group. After you enable a security group, all the associated security group rules and services will also be enabled.
  • Disable: Disable the security group. After you disable a security group, all the associated security group rules and services will be unavailable.
  • Modify name and description: Modify the name and description of the security group rule.
  • Attach L3 network: Attach the security group to one or more L3 networks. Note that these L3 networks will share the same security group rule.
  • Detach L3 network: Detach an L3 network from the security group.
  • Add rule: Add a rule to the security group.
  • Delete rule: Delete a rule from the security group.
  • Bind VM NIC: Bind the security group to a VM NIC. Note that you can bind a security group to multiple VM instances. NICs of these VM instances will share the same security group rules.
  • Unbind VM NIC: Unbind the security group from a VM NIC.
  • Delete: Delete the security group. Deleting a security group will also delete the associated security group rules and services.
  • Audit: View related operations supported by the security group.

Constraints

The constraints of a security group are as follows:
  • A security group can be attached to more than one VM instance. These VM instances will share the same security group rules.
  • A security group can be attached to more than one L3 network. These L3 networks will share the same security group rules.
  • A security group supports whitelists. That is, you can set all security group rules to "Allow". Once you set an allow rule for a port, other ports will not be allowed.
  • When you create a security group, the system automatically configures two rules (an inbound rule and an outbound rule whose protocol types are both ALL) for communications in the security group. You can delete these two default rules to cancel the intra-group communication.
  • When you create a security group, if you did not set any rule, incoming traffics are not allowed to access VM instances in the security group. However, outgoing traffics from VM instances in the security group are allowed.
  • If you are using simultaneously the security group with other network services, such as load balancing and vRouter table, make sure that the corresponding rules required by these network services are added to the security group.