Got it

Virtual Firewalls vs Security Groups on Huawei Cloud Stack

Created: Apr 22, 2021 01:43:10Latest reply: Jul 17, 2022 05:10:30 699 6 0 0 0
  Rewarded HiCoins: 0 (problem resolved)

Hello team!


This post enquires about Virtual Firewalls vs Security Groups on Huawei Cloud Stack. Please see below for more details.


ISSUE DESCRIPTION


We have one Huawei Cloud Stack 8.0, however, I have some doubts about some concepts, such as virtual firewalls and security groups. What are the differences between them?


Thanks in advance for your assistance!

  • x
  • convention:

Featured Answers
olive.zhao
Admin Created Apr 22, 2021 01:48:24

Hello, Pupu!

Both virtual firewalls and security groups are used to ensure the security of cloud servers in a VPC.

You can set up a virtual firewall to add a security layer to your VPC based on security groups for flexible and layered security management of your VPC.

Differences between virtual firewalls and security groups

Item

Security Group

Virtual Firewall

Protection object

Cloud servers

Subnets in Region Type I

Configuration policy

Only the Allow policy is supported.

Allow, Reject, and Deny policies are supported.

NOTE:

Reject applies only to the Region Type II scenario.

Priority

If multiple security group rules conflict, the union set takes effect.

If multiple firewall rules conflict, the rules earlier in sequence take precedence.

Default rule

All data packets in the outbound direction are allowed to pass through.

Only the traffic in the security group is allowed to pass in the inbound direction.

  • Allows broadcast packets with a destination of 255.255.255.255/32 in Region Type I.

  • Allows multicast packets with a destination of 224.0.0.0/24 in Region Type I.

  • Allows metadata packets with a destination of 169.254.169.254/32 and with TCP port 80 in Region Type I.

  • Allows packets from the CIDR blocks that are reserved for public services. For example, allows packets with a destination of 100.126.0.0/16 in Region Type I.

  • Allows packets with a destination of ff00::/8 (multicast IP address) in Region Type I.

  • Allows packets with a source of fe80::/64 (link local IP address) and destination of fe80::/64 (link local IP address) in Region Type I.

  • Denies all other packets by default in Region Type I.

Application operations

By default, a security group must be selected during cloud server creation. The security group is automatically applied to the cloud server.

You must create a virtual firewall, associate a subnet in Region Type I with the virtual firewall, and add firewall rules so that the virtual firewall can apply to the corresponding cloud server.

Packet filtering

Only supports packet filtering based on the 3-tuple (protocol, port, and peer IP address).

Supports packet filtering based on the 5-tuple (protocol, source port, destination port, source IP address, and destination IP address).

Have a nice day!

View more
  • x
  • convention:

All Answers
olive.zhao
olive.zhao Admin Created Apr 22, 2021 01:48:24

Hello, Pupu!

Both virtual firewalls and security groups are used to ensure the security of cloud servers in a VPC.

You can set up a virtual firewall to add a security layer to your VPC based on security groups for flexible and layered security management of your VPC.

Differences between virtual firewalls and security groups

Item

Security Group

Virtual Firewall

Protection object

Cloud servers

Subnets in Region Type I

Configuration policy

Only the Allow policy is supported.

Allow, Reject, and Deny policies are supported.

NOTE:

Reject applies only to the Region Type II scenario.

Priority

If multiple security group rules conflict, the union set takes effect.

If multiple firewall rules conflict, the rules earlier in sequence take precedence.

Default rule

All data packets in the outbound direction are allowed to pass through.

Only the traffic in the security group is allowed to pass in the inbound direction.

  • Allows broadcast packets with a destination of 255.255.255.255/32 in Region Type I.

  • Allows multicast packets with a destination of 224.0.0.0/24 in Region Type I.

  • Allows metadata packets with a destination of 169.254.169.254/32 and with TCP port 80 in Region Type I.

  • Allows packets from the CIDR blocks that are reserved for public services. For example, allows packets with a destination of 100.126.0.0/16 in Region Type I.

  • Allows packets with a destination of ff00::/8 (multicast IP address) in Region Type I.

  • Allows packets with a source of fe80::/64 (link local IP address) and destination of fe80::/64 (link local IP address) in Region Type I.

  • Denies all other packets by default in Region Type I.

Application operations

By default, a security group must be selected during cloud server creation. The security group is automatically applied to the cloud server.

You must create a virtual firewall, associate a subnet in Region Type I with the virtual firewall, and add firewall rules so that the virtual firewall can apply to the corresponding cloud server.

Packet filtering

Only supports packet filtering based on the 3-tuple (protocol, port, and peer IP address).

Supports packet filtering based on the 5-tuple (protocol, source port, destination port, source IP address, and destination IP address).

Have a nice day!

View more
  • x
  • convention:

pupu.F
pupu.F Created Apr 22, 2021 03:03:10

Thanks very much!
View more
  • x
  • convention:

Unicef
Unicef MVE Created Apr 30, 2021 14:38:52

Great
View more
  • x
  • convention:

futurework
futurework Created Oct 25, 2021 17:05:16

yes
View more
  • x
  • convention:

Saqibaz
Saqibaz Created Jul 17, 2022 05:10:30

Good answer
View more
  • x
  • convention:

olive.zhao
olive.zhao Created Jul 18, 2022 09:00:01 (0) (0)
Thanks!  

Comment

You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.
Information Protection Guide
Thanks for using Huawei Enterprise Support Community! We will help you learn how we collect, use, store and share your personal information and the rights you have in accordance with Privacy Policy and User Agreement.