Security Group

A security group serves as a virtual firewall for your VM instances to allow or deny incoming network traffic to, or outgoing network traffic from, multiple types of cloud resources. L3 network security controls are provided over your VM instances, and TCP, UDP, or ICMP data packets are managed for effective filtering. With the security group, you can effectively control specified VM instances on specified networks according to specified security rules.

• Flat networks, vRouter networks, and VPC support the security group service. The security group service is provided by the security group network service module. By using iptables, you can perform security controls over VM instances. This method also applies to flat networks, vRouter networks, and VPC.
• A security group is actually a distributed firewall. When you modify a rule, or when you add or delete a NIC, note that firewall rules in VM instances are updated as well.

Security group rule:

• A security group rule has the following two types of traffics according the direction of data packets:
  • Ingress: Represents inbound data packets that access a VM instance.
  • Egress: Represents outbound data packets that are sent from a VM instance.
• A security group rule supports the following protocol types:
  • ALL: Includes all protocol types, indicating that you cannot specify a port.
  • TCP: Supports ports 1-65535.
  • UDP: Supports ports 1-65535.
  • ICMP: By default, both the start port and end port are all -1, indicating that all ICMP protocols are supported.
• A security group rule can limit data sources that comes either from inside or outside of VM instances. Currently, sources can be set as source CIDR or source security group.
  • Source CIDR: Allows only the specified CIDR.
  • Source security group: Allows only the VM instances in a specified security group.
  Note: If you set both CIDR and the security group, note that only the intersection of them can take effect.

A security group topology is shown in Figure 1.