Got it

Huawei Cloud Security Group Overview

Latest reply: Dec 23, 2021 14:26:18 655 12 9 0 0

Security Group

    A security group is a collection of access control rules for ECSs that have the same security protection requirements and are mutually trusted within a VPC. After you create a security group, you can create different access rules for the security group, and the rules will apply to any ECS that the security group contains.

    Your account automatically comes with a default security group. The default security group allows all outbound traffic, denies all inbound traffic, and allows all traffic between ECSs in the group. Your ECSs in this security group can communicate with each other already without adding additional rules. You can directly use the default security group.

Security Group Basics

  • You can associate instances, such as servers and extension NICs, with one or more security groups. You can change the security groups that are associated with instances, such as servers or extension NICs. By default, when you create an instance, it is associated with the default security group of its VPC unless you specify another security group.

  • You need to add security group rules to allow instances in the same security group to communicate with each other.

  • Security groups are stateful. If you send a request from your instance and the outbound traffic is allowed, the response traffic for that request is allowed to flow in regardless of inbound security group rules. Similarly, if inbound traffic is allowed, responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules.


    Security groups use connection tracking to track traffic to and from instances that they contain and security group rules are applied based on the connection status of the traffic to determine whether to allow or deny traffic. If you add, modify, or delete a security group rule, or create or delete an instance in the security group, the connection tracking of all instances in the security group will be automatically cleared. In this case, the inbound or outbound traffic of the instance will be considered as new connections, which need to match the inbound or outbound security group rules to ensure that the rules take effect immediately and the security of incoming traffic.

    In addition, if the inbound or outbound traffic of an instance has no packets for a long time, the traffic will be considered as new connections after the connection tracking times out, and the connections need to match the outbound and inbound rules. The timeout period of connection tracking varies according to the protocol. The timeout period of a TCP connection in the established state is 600s, and the timeout period of an ICMP connection is 30s. For other protocols, if packets are received in both directions, the connection tracking timeout period is 180s. If one or more packets are received in one direction but no packet is received in the other direction, the connection tracking timeout period is 30s. For protocols other than TCP, UDP, and ICMP, only the IP address and protocol number are tracked.



Security Group Rules

After you create a security group, you can add rules to the security group. A rule applies either to inbound traffic or outbound traffic. After you add ECSs to the security group, they are protected by the rules of the group.

A security group rule consists of:

  • Source (inbound rule) or Destination (outbound rule): The value can be an IP address (such as 192.168.10.10/32), IP address range (such as 192.168.52.0/24), or a security group (such as sg-abc).

  • Protocol & Port: The value of ports can be individual ports (such as 22), consecutive ports (such as 22-30), ports and port ranges (such as 20,23-30), all ports (1-65535). The protocol can be TCP, UDP, HTTP, and others.

  • Source: The value can be a single IP address, an IP address group, or a security group. 

  • Type: The value can be IPv4 or IPv6.

  • Description: Supplementary information about the security group rule.



Security Group Template

You can select one of the following security group templates provided by the system to quickly create a security group with default rules.

  • General-purpose web server: The security group that you create using this template is for general-purpose web servers and includes default rules that allow all inbound ICMP traffic and allow inbound traffic on ports 22, 80, 443, and 3389.

  • All ports open: The security group that you create using this template includes default rules that allow inbound traffic on any port. Note that allowing inbound traffic on any port poses security risks.

  • Custom: The security group that you create using this template includes default rules that deny inbound traffic on any port. You can add or modify security group rules as required.




Security Group Configuration Process

Figure 1 Process for configuring a security group

Figure 1 Process for configuring a security group




Security Group Constraints

  • By default, you can create a maximum of 100 security groups in your cloud account.

  • By default, you can add up to 50 security group rules to a security group.

  • By default, you can add an ECS or an extension NIC to a maximum of five security groups. In such a case, the rules of all the selected security groups are aggregated to take effect.

  • You can add a maximum of 20 instances to a security group at a time.

  • You can add a maximum of 1000 instances to each security group.

Suggestions

When using a security group:

  • Do not add all instances to the same security group if they have different isolation requirements.

  • It is not necessary that you create a security group for each instance. Instead, you can add instances with the same security requirements to the same security group.

When adding a security group rule:
  • Define simple security group rules. For example, if you add an instance to multiple security groups, the instance may comply with hundreds of security group rules, and a change to any rule may cause network disconnection for the instance.

  • Before you modify a security group and its rules, clone the security group and then modify the cloned security group to test communication and prevent adverse impact on running services. For details.

  • When adding a security group rule for an instance, grant the minimum permissions possible. For example:

      • Open a specific port, for example, 22. It is not recommended that you open a port range, for example, 22-30.

      • It is not recommended that you enter 0.0.0.0/0, allowing traffic to or from all IP addresses.




Default Security Groups and Security Group Rules

    Your account automatically comes with a default security group (Sys-default). The default security group allows all outbound traffic, denies all inbound traffic, and allows all traffic between ECSs in the group. Your ECSs in this security group can communicate with each other already without adding additional rules.


Figure 2 shows the default security group

Figure 2 shows the default security group


NOTE:

    • You cannot delete the default security group, but you can modify the rules for the default security group.

    • If two ECSs are in the same security group but in different VPCs, the ECSs cannot communicate with each other. To enable communications between the ECSs, use a VPC peering connection to connect the two VPCs. For details about VPC connectivity



Table 1 Rules in the default security group

Table 1 Rules in the default security group (Sys-default)





Ref:

HuaweiCloud.

  • x
  • convention:

AL_93
Created Aug 22, 2021 09:07:32

Nice
View more
  • x
  • convention:

hemin88
hemin88 Created Aug 26, 2021 07:53:42 (0) (0)
Appreciate your support  
Sara_Obaid
Created Aug 26, 2021 12:46:58

Great. Thank you for sharing.
View more
  • x
  • convention:

simchamnan
simchamnan Created Sep 29, 2021 12:44:14 (0) (0)
 
simchamnan
Created Sep 29, 2021 12:44:20

good
View more
  • x
  • convention:

hemin88
hemin88 Created Sep 29, 2021 14:28:14 (0) (0)
Many thanks  
GhaziAsad
GhaziAsad Created Dec 18, 2021 16:22:40 (0) (0)
:)  
user_4358465
Created Dec 18, 2021 16:17:16

Excellent overview on Huawei Cloud Security Group!
View more
  • x
  • convention:

Ayeshaali
Created Dec 18, 2021 16:21:54

Great
View more
  • x
  • convention:

Ayeshaali
Created Dec 18, 2021 16:22:02

Thanks for sharing
View more
  • x
  • convention:

GhaziAsad
Created Dec 18, 2021 16:22:30

Thank you for sharing.
View more
  • x
  • convention:

Unicef
MVE Created Dec 23, 2021 14:26:18

GOOD SHARE, THANKS
View more
  • x
  • convention:

Comment

You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.
Information Protection Guide
Thanks for using Huawei Enterprise Support Community! We will help you learn how we collect, use, store and share your personal information and the rights you have in accordance with Privacy Policy and User Agreement.