diff --git a/umn/source/_static/images/en-us_image_0000001650535960.png b/umn/source/_static/images/en-us_image_0000001650535960.png new file mode 100644 index 0000000..6306214 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001650535960.png differ diff --git a/umn/source/_static/images/en-us_image_0000001675613933.png b/umn/source/_static/images/en-us_image_0000001675613933.png deleted file mode 100644 index d8f9804..0000000 Binary files a/umn/source/_static/images/en-us_image_0000001675613933.png and /dev/null differ diff --git a/umn/source/_static/images/en-us_image_0000001678437642.png b/umn/source/_static/images/en-us_image_0000001678437642.png new file mode 100644 index 0000000..f3ba480 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001678437642.png differ diff --git a/umn/source/_static/images/en-us_image_0000001699135873.png b/umn/source/_static/images/en-us_image_0000001699135873.png new file mode 100644 index 0000000..60afbc0 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001699135873.png differ diff --git a/umn/source/_static/images/en-us_image_0122999741.png b/umn/source/_static/images/en-us_image_0122999741.png deleted file mode 100644 index faf01e7..0000000 Binary files a/umn/source/_static/images/en-us_image_0122999741.png and /dev/null differ diff --git a/umn/source/_static/images/en-us_image_0148244691.png b/umn/source/_static/images/en-us_image_0148244691.png deleted file mode 100644 index 833927c..0000000 Binary files a/umn/source/_static/images/en-us_image_0148244691.png and /dev/null differ diff --git a/umn/source/_static/images/en-us_image_0162733894.png b/umn/source/_static/images/en-us_image_0162733894.png new file mode 100644 index 0000000..95121dc Binary files /dev/null and b/umn/source/_static/images/en-us_image_0162733894.png differ diff --git a/umn/source/_static/images/en-us_image_0167839112.png b/umn/source/_static/images/en-us_image_0167839112.png index 754024d..05e485d 100644 Binary files a/umn/source/_static/images/en-us_image_0167839112.png and b/umn/source/_static/images/en-us_image_0167839112.png differ diff --git a/umn/source/_static/images/en-us_image_0167840073.png b/umn/source/_static/images/en-us_image_0167840073.png index 6120e8e..05e485d 100644 Binary files a/umn/source/_static/images/en-us_image_0167840073.png and b/umn/source/_static/images/en-us_image_0167840073.png differ diff --git a/umn/source/_static/images/en-us_image_0211552164.png b/umn/source/_static/images/en-us_image_0211552164.png index 14fd3fc..df810e8 100644 Binary files a/umn/source/_static/images/en-us_image_0211552164.png and b/umn/source/_static/images/en-us_image_0211552164.png differ diff --git a/umn/source/_static/images/en-us_image_0211560998.png b/umn/source/_static/images/en-us_image_0211560998.png index 413c588..ea33dfe 100644 Binary files a/umn/source/_static/images/en-us_image_0211560998.png and b/umn/source/_static/images/en-us_image_0211560998.png differ diff --git a/umn/source/_static/images/en-us_image_0239476777.png b/umn/source/_static/images/en-us_image_0239476777.png deleted file mode 100644 index 8aadcff..0000000 Binary files a/umn/source/_static/images/en-us_image_0239476777.png and /dev/null differ diff --git a/umn/source/_static/images/en-us_image_0274115599.png b/umn/source/_static/images/en-us_image_0274115599.png index 2d2d02f..b20d87f 100644 Binary files a/umn/source/_static/images/en-us_image_0274115599.png and b/umn/source/_static/images/en-us_image_0274115599.png differ diff --git a/umn/source/_static/images/en-us_image_0285048674.png b/umn/source/_static/images/en-us_image_0285048674.png index 63e5249..d6de83d 100644 Binary files a/umn/source/_static/images/en-us_image_0285048674.png and b/umn/source/_static/images/en-us_image_0285048674.png differ diff --git a/umn/source/access_control/differences_between_security_groups_and_firewalls.rst b/umn/source/access_control/differences_between_security_groups_and_firewalls.rst index 2afcefd..c4b42e5 100644 --- a/umn/source/access_control/differences_between_security_groups_and_firewalls.rst +++ b/umn/source/access_control/differences_between_security_groups_and_firewalls.rst @@ -14,7 +14,7 @@ For details, see :ref:`Figure 1 `. .. _en-us_topic_0052003963__fig9582182315479: -.. figure:: /_static/images/en-us_image_0148244691.png +.. figure:: /_static/images/en-us_image_0000001699135873.png :alt: **Figure 1** Security groups and firewalls **Figure 1** Security groups and firewalls diff --git a/umn/source/access_control/firewall/adding_a_firewall_rule.rst b/umn/source/access_control/firewall/adding_a_firewall_rule.rst index d309d5a..c4dd1aa 100644 --- a/umn/source/access_control/firewall/adding_a_firewall_rule.rst +++ b/umn/source/access_control/firewall/adding_a_firewall_rule.rst @@ -43,51 +43,49 @@ Procedure .. table:: **Table 1** Parameter descriptions - +------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Parameter | Description | Example Value | - +========================+===================================================================================================================================================================================================================+=======================+ - | Priority | Priority of a firewall rule. A smaller priority value represents a higher priority. Each network ACL includes a default rule whose priority value is an asterisk (``*``). Default rules have the lowest priority. | 3 | - +------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Status | Status of a firewall. When you add a rule to it, its default status is **Enabled**. | Enabled | - +------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Action | The action in the firewall. This parameter is mandatory. You can select a value from the drop-down list. Currently, the value can be **Allow** or **Deny**. | Allow | - +------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Protocol | The protocol supported by the firewall. This parameter is mandatory. You can select a protocol from the drop-down list. | TCP | - | | | | - | | You can select **TCP**, **UDP**, **ICMP**, or **All**. | | - +------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Source | The source from which the traffic is allowed. The source can be an IP address or IP address range. | 0.0.0.0/0 | - | | | | - | | - IP address: | | - | | | | - | | - Single IP address: 192.168.10.10/32 | | - | | - All IP addresses: 0.0.0.0/0 | | - | | - IP address range: 192.168.1.0/24 | | - | | | | - | | - Security group: sg-A | | - +------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Source Port Range | The source port number or port number range. The value ranges from 1 to 65535. For a port number range, enter two port numbers connected by a hyphen (-). For example, **1-100**. | 22, or 22-30 | - | | | | - | | You must specify this parameter if **TCP** or **UDP** is selected for **Protocol**. | | - +------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Destination | The destination to which the traffic is allowed. The destination can be an IP address or IP address range. | 0.0.0.0/0 | - | | | | - | | - IP address: | | - | | | | - | | - Single IP address: 192.168.10.10/32 | | - | | - All IP addresses: 0.0.0.0/0 | | - | | - IP address range: 192.168.1.0/24 | | - | | | | - | | - Security group: sg-A | | - +------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Destination Port Range | The destination port number or port number range. The value ranges from 1 to 65535. For a port number range, enter two port numbers connected by a hyphen (-). For example, **1-100**. | 22, or 22-30 | - | | | | - | | You must specify this parameter if **TCP** or **UDP** is selected for **Protocol**. | | - +------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Description | Supplementary information about the firewall rule. This parameter is optional. | N/A | - | | | | - | | The description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | - +------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Parameter | Description | Example Value | + +========================+========================================================================================================================================================================================+=======================+ + | Type | The firewall type. This parameter is mandatory. You can select a value from the drop-down list. Currently, only **IPv4** and **IPv6** are supported. | IPv4 | + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Action | The action in the firewall. This parameter is mandatory. You can select a value from the drop-down list. Currently, the value can be **Allow** or **Deny**. | Allow | + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Protocol | The protocol supported by the firewall. This parameter is mandatory. You can select a protocol from the drop-down list. | TCP | + | | | | + | | You can select **TCP**, **UDP**, **ICMP**, or **All**. | | + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Source | The source from which the traffic is allowed. The source can be an IP address or IP address range. | 0.0.0.0/0 | + | | | | + | | - IP address: | | + | | | | + | | - Single IP address: 192.168.10.10/32 | | + | | - All IP addresses: 0.0.0.0/0 | | + | | - IP address range: 192.168.1.0/24 | | + | | | | + | | - Security group: sg-A | | + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Source Port Range | The source port number or port number range. The value ranges from 1 to 65535. For a port number range, enter two port numbers connected by a hyphen (-). For example, **1-100**. | 22, or 22-30 | + | | | | + | | You must specify this parameter if **TCP** or **UDP** is selected for **Protocol**. | | + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Destination | The destination to which the traffic is allowed. The destination can be an IP address or IP address range. | 0.0.0.0/0 | + | | | | + | | - IP address: | | + | | | | + | | - Single IP address: 192.168.10.10/32 | | + | | - All IP addresses: 0.0.0.0/0 | | + | | - IP address range: 192.168.1.0/24 | | + | | | | + | | - Security group: sg-A | | + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Destination Port Range | The destination port number or port number range. The value ranges from 1 to 65535. For a port number range, enter two port numbers connected by a hyphen (-). For example, **1-100**. | 22, or 22-30 | + | | | | + | | You must specify this parameter if **TCP** or **UDP** is selected for **Protocol**. | | + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Description | Supplementary information about the firewall rule. This parameter is optional. | N/A | + | | | | + | | The description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ 7. Click **OK**. diff --git a/umn/source/access_control/firewall/creating_a_firewall.rst b/umn/source/access_control/firewall/creating_a_firewall.rst index f622d20..32fdb05 100644 --- a/umn/source/access_control/firewall/creating_a_firewall.rst +++ b/umn/source/access_control/firewall/creating_a_firewall.rst @@ -10,6 +10,8 @@ Scenarios You can create a custom firewall. By default, a newly created firewall is disabled and has no inbound or outbound rules, or any subnets associated. +By default, you can create a maximum of 200 firewalls in a region. + Procedure --------- diff --git a/umn/source/access_control/firewall/enabling_or_disabling_a_firewall.rst b/umn/source/access_control/firewall/enabling_or_disabling_a_firewall.rst index 37c5b56..60c71ff 100644 --- a/umn/source/access_control/firewall/enabling_or_disabling_a_firewall.rst +++ b/umn/source/access_control/firewall/enabling_or_disabling_a_firewall.rst @@ -8,7 +8,7 @@ Enabling or Disabling a Firewall Scenarios --------- -After a firewall is created, you may need to enable it based on network security requirements. You can also disable an enabled firewall if need. Before enabling a firewall, ensure that subnets have been associated with the firewall and that inbound and outbound rules have been added to the firewall. +After a firewall is created, you may need to enable it based on network security requirements. You can also disable an enabled firewall if needed. Before enabling a firewall, ensure that subnets have been associated with the firewall and that inbound and outbound rules have been added to the firewall. When a firewall is disabled, custom rules will become invalid while default rules still take effect. Disabling a firewall may interrupt network traffic. For information about the default firewall rules, see :ref:`Default Firewall Rules `. diff --git a/umn/source/access_control/firewall/firewall_configuration_examples.rst b/umn/source/access_control/firewall/firewall_configuration_examples.rst index 5a45976..4f6d744 100644 --- a/umn/source/access_control/firewall/firewall_configuration_examples.rst +++ b/umn/source/access_control/firewall/firewall_configuration_examples.rst @@ -19,7 +19,7 @@ You might want to block TCP port 445 to protect against the WannaCry ransomware Firewall Configuration -:ref:`Table 1 ` lists the required rules. +:ref:`Table 1 ` lists the inbound rules required. .. _acl_0002__table553618145582: @@ -35,7 +35,7 @@ Firewall Configuration .. note:: - - By default, a firewall denies all inbound traffic. You need to allow all inbound traffic if necessary. + - By default, a firewall denies all inbound traffic. You can add a rule to allow all inbound traffic if necessary. - If you want a deny rule to be matched first, insert the deny rule above the allow rule. For details, see :ref:`Changing the Sequence of a Firewall Rule `. .. _acl_0002__section61291659102216: @@ -47,7 +47,7 @@ In this example, an ECS in a subnet is used as the web server, and you need to a Firewall Configuration -:ref:`Table 2 ` lists the inbound rule required. +:ref:`Table 2 ` lists the inbound and outbound rules required. .. _acl_0002__table195634095313: diff --git a/umn/source/access_control/firewall/firewall_overview.rst b/umn/source/access_control/firewall/firewall_overview.rst index cc21f49..d585350 100644 --- a/umn/source/access_control/firewall/firewall_overview.rst +++ b/umn/source/access_control/firewall/firewall_overview.rst @@ -11,7 +11,7 @@ A firewall is an optional layer of security for your subnets. After you associat .. _acl_0001__fig9582182315479: -.. figure:: /_static/images/en-us_image_0148244691.png +.. figure:: /_static/images/en-us_image_0000001699135873.png :alt: **Figure 1** Security groups and firewalls **Figure 1** Security groups and firewalls diff --git a/umn/source/access_control/firewall/modifying_a_firewall_rule.rst b/umn/source/access_control/firewall/modifying_a_firewall_rule.rst index a82e257..df4f444 100644 --- a/umn/source/access_control/firewall/modifying_a_firewall_rule.rst +++ b/umn/source/access_control/firewall/modifying_a_firewall_rule.rst @@ -37,51 +37,49 @@ Procedure .. table:: **Table 1** Parameter descriptions - +------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Parameter | Description | Example Value | - +========================+===================================================================================================================================================================================================================+=======================+ - | Priority | Priority of a firewall rule. A smaller priority value represents a higher priority. Each network ACL includes a default rule whose priority value is an asterisk (``*``). Default rules have the lowest priority. | 3 | - +------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Status | Status of a firewall. When you add a rule to it, its default status is **Enabled**. | Enabled | - +------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Action | The action in the firewall. This parameter is mandatory. You can select a value from the drop-down list. Currently, the value can be **Allow** or **Deny**. | Allow | - +------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Protocol | The protocol supported by the firewall. This parameter is mandatory. You can select a protocol from the drop-down list. | TCP | - | | | | - | | You can select **TCP**, **UDP**, **ICMP**, or **All**. | | - +------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Source | The source from which the traffic is allowed. The source can be an IP address or IP address range. | 0.0.0.0/0 | - | | | | - | | - IP address: | | - | | | | - | | - Single IP address: 192.168.10.10/32 | | - | | - All IP addresses: 0.0.0.0/0 | | - | | - IP address range: 192.168.1.0/24 | | - | | | | - | | - Security group: sg-A | | - +------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Source Port Range | The source port number or port number range. The value ranges from 1 to 65535. For a port number range, enter two port numbers connected by a hyphen (-). For example, **1-100**. | 22, or 22-30 | - | | | | - | | You must specify this parameter if **TCP** or **UDP** is selected for **Protocol**. | | - +------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Destination | The destination to which the traffic is allowed. The destination can be an IP address or IP address range. | 0.0.0.0/0 | - | | | | - | | - IP address: | | - | | | | - | | - Single IP address: 192.168.10.10/32 | | - | | - All IP addresses: 0.0.0.0/0 | | - | | - IP address range: 192.168.1.0/24 | | - | | | | - | | - Security group: sg-A | | - +------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Destination Port Range | The destination port number or port number range. The value ranges from 1 to 65535. For a port number range, enter two port numbers connected by a hyphen (-). For example, **1-100**. | 22, or 22-30 | - | | | | - | | You must specify this parameter if **TCP** or **UDP** is selected for **Protocol**. | | - +------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Description | Supplementary information about the firewall rule. This parameter is optional. | N/A | - | | | | - | | The description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | - +------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Parameter | Description | Example Value | + +========================+========================================================================================================================================================================================+=======================+ + | Type | The firewall type. This parameter is mandatory. You can select a value from the drop-down list. Currently, only **IPv4** and **IPv6** are supported. | IPv4 | + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Action | The action in the firewall. This parameter is mandatory. You can select a value from the drop-down list. Currently, the value can be **Allow** or **Deny**. | Allow | + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Protocol | The protocol supported by the firewall. This parameter is mandatory. You can select a protocol from the drop-down list. | TCP | + | | | | + | | You can select **TCP**, **UDP**, **ICMP**, or **All**. | | + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Source | The source from which the traffic is allowed. The source can be an IP address or IP address range. | 0.0.0.0/0 | + | | | | + | | - IP address: | | + | | | | + | | - Single IP address: 192.168.10.10/32 | | + | | - All IP addresses: 0.0.0.0/0 | | + | | - IP address range: 192.168.1.0/24 | | + | | | | + | | - Security group: sg-A | | + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Source Port Range | The source port number or port number range. The value ranges from 1 to 65535. For a port number range, enter two port numbers connected by a hyphen (-). For example, **1-100**. | 22, or 22-30 | + | | | | + | | You must specify this parameter if **TCP** or **UDP** is selected for **Protocol**. | | + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Destination | The destination to which the traffic is allowed. The destination can be an IP address or IP address range. | 0.0.0.0/0 | + | | | | + | | - IP address: | | + | | | | + | | - Single IP address: 192.168.10.10/32 | | + | | - All IP addresses: 0.0.0.0/0 | | + | | - IP address range: 192.168.1.0/24 | | + | | | | + | | - Security group: sg-A | | + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Destination Port Range | The destination port number or port number range. The value ranges from 1 to 65535. For a port number range, enter two port numbers connected by a hyphen (-). For example, **1-100**. | 22, or 22-30 | + | | | | + | | You must specify this parameter if **TCP** or **UDP** is selected for **Protocol**. | | + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Description | Supplementary information about the firewall rule. This parameter is optional. | N/A | + | | | | + | | The description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ 7. Click **Confirm**. diff --git a/umn/source/access_control/security_group/adding_a_security_group_rule.rst b/umn/source/access_control/security_group/adding_a_security_group_rule.rst index f147107..adc8d75 100644 --- a/umn/source/access_control/security_group/adding_a_security_group_rule.rst +++ b/umn/source/access_control/security_group/adding_a_security_group_rule.rst @@ -10,13 +10,19 @@ Scenarios A security group is a collection of access control rules to control the traffic that is allowed to reach and leave the cloud resources that it is associated with. The cloud resources can be cloud servers, containers, databases, and more. Cloud resources associated with the same security group have the same security requirements and are mutually trusted within a VPC. A security group consists of inbound and outbound rules. +Each ECS must be associated with at least one security group. If you do not have a security group when creating an ECS, the system provides a default security group. + Like whitelists, security group rules work as follows: -- Inbound rules control incoming traffic to instances in the security group. If an inbound request matches the source in an inbound security group rule with **Action** set to **Allow**, the request is allowed. +- Inbound rules control incoming traffic to instances in the security group. + + If an inbound request matches the source in an inbound security group rule, the request is allowed and other requests are denied. By default, you do not need to configure deny rules in the inbound direction because requests that do not match allow rules will be denied. -- Outbound rules control outgoing traffic from instances in the security group. If the destination of an outbound security group rule with **Action** set to **Allow** is 0.0.0.0/0, all outbound requests are allowed. +- Outbound rules control outgoing traffic from instances in the security group. + + If the destination of an outbound security group rule is 0.0.0.0/0, all outbound requests are allowed. 0.0.0.0/0 represents all IPv4 addresses. @@ -27,7 +33,7 @@ If the rules of the security group associated with your instance cannot meet you Security Group Rule Configuration Examples ------------------------------------------ -- The system provides a default security group. For details about the default security group rules, see :ref:`Default Security Group `. If the default security group rules cannot meet your requirements, you can modify them. +- The system provides a default security group. For details about the default security group rules, see :ref:`Default Security Group and Its Rules `. If the default security group rules cannot meet your requirements, you can modify them. - Before configuring security group rules, you need to plan access policies for instances in the security group. For details about common security group rule configuration examples, see :ref:`Security Group Configuration Examples `. Procedure @@ -68,15 +74,16 @@ Procedure +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ | Parameter | Description | Example Value | +=======================+==========================================================================================================================================================================+=======================+ - | Type | IPv4 | IPv4 | - +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ | Protocol & Port | The network protocol used to match traffic in a security group rule. | TCP | | | | | - | | Currently, the value can be **All**, **TCP**, **UDP**, or **ICMP**, or others. | | + | | Currently, the value can be **All**, **TCP**, **UDP**, **GRE**, **ICMP**, or more. | | +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | | Destination port used to match traffic in a security group rule. The value can be from 1 to 65535. | 22, or 22-30 | + | | **Port**: The port or port range over which traffic can reach your ECS. The value can be from 1 to 65535. | 22, or 22-30 | + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Type | Source IP address version. You can select: | IPv4 | | | | | - | | Inbound rules control incoming traffic over specific ports to instances in the security group. | | + | | - IPv4 | | + | | - IPv6 | | +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ | Source | Source of the security group rule. The value can be an IP address or a security group to allow access from IP addresses or instances in the security group. For example: | 0.0.0.0/0 | | | | | @@ -118,15 +125,16 @@ Procedure +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ | Parameter | Description | Example Value | +=======================+=============================================================================================================================================================================+=======================+ - | Type | IPv4 | IPv4 | - +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ | Protocol & Port | The network protocol used to match traffic in a security group rule. | TCP | | | | | - | | Currently, the value can be **All**, **TCP**, **UDP**, or **ICMP**, or others. | | + | | Currently, the value can be **All**, **TCP**, **UDP**, **GRE**, **ICMP**, or more. | | +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | | Destination port used to match traffic in a security group rule. The value can be from 1 to 65535. | 22, or 22-30 | + | | **Port**: The port or port range over which traffic can leave your ECS. The value can be from 1 to 65535. | 22, or 22-30 | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Type | Source IP address version. You can select: | IPv4 | | | | | - | | Outbound rules control outgoing traffic over specific ports from instances in the security group. | | + | | - IPv4 | | + | | - IPv6 | | +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ | Destination | Destination of the security group rule. The value can be an IP address or a security group to allow access to IP addresses or instances in the security group. For example: | 0.0.0.0/0 | | | | | diff --git a/umn/source/access_control/security_group/adding_an_instance_to_or_removing_an_instance_from_a_security_group.rst b/umn/source/access_control/security_group/adding_an_instance_to_or_removing_an_instance_from_a_security_group.rst index b8e1231..e24950e 100644 --- a/umn/source/access_control/security_group/adding_an_instance_to_or_removing_an_instance_from_a_security_group.rst +++ b/umn/source/access_control/security_group/adding_an_instance_to_or_removing_an_instance_from_a_security_group.rst @@ -8,12 +8,13 @@ Adding an Instance to or Removing an Instance from a Security Group Scenarios --------- -After a security group is created, you can add instances to the security group to protect the instances. You can also remove them from the security group as required. +When you create an instance, the system automatically adds the instance to a security group for protection. -You can add multiple instances to or remove them from a security group. +- If one security group cannot meet your requirements, you can add an instance to multiple security groups. +- An instance must be added to at least one security group. If you want to change the security group for an instance, you can add the instance to a new security group and then remove the instance from the original security group. -Adding Instances to a Security Group ------------------------------------- +Adding an Instance to a Security Group +-------------------------------------- #. Log in to the management console. @@ -25,16 +26,26 @@ Adding Instances to a Security Group #. In the navigation pane on the left, choose **Access Control** > **Security Groups**. -#. On the **Security Groups** page, click **Manage Instance** in the **Operation** column. + The security group list is displayed. -#. On the **Servers** tab, click **Add** and add one or more servers to the current security group. +#. In the security group list, locate the row that contains the security group and click **Manage Instances** in the **Operation** column. -#. On the **Extension NICs** tab, click **Add** and add one or more extension NICs to the current security group. + The **Associated Instances** tab is displayed. -#. Click **OK**. +#. Click an instance type. -Removing Instances from a Security Group ----------------------------------------- + The following operations use **Servers** as an example. + +#. Click the **Servers** tab and click **Add**. + + The **Add Server** dialog box is displayed. + +#. In the server list, select one or more servers and click OK to add them to the current security group. + +Removing an Instance from a Security Group +------------------------------------------ + +An instance must be added to at least one security group. If you want to remove an instance from a security group, the instance must be associated with at least two security groups now. #. Log in to the management console. @@ -46,18 +57,21 @@ Removing Instances from a Security Group #. In the navigation pane on the left, choose **Access Control** > **Security Groups**. -#. On the **Security Groups** page, click **Manage Instance** in the **Operation** column. + The security group list is displayed. -#. On the **Servers** tab, locate the target server and click **Remove** in the **Operation** column to remove the server from current security group. +#. In the security group list, locate the row that contains the security group and click **Manage Instances** in the **Operation** column. -#. On the **Extension NICs** tab, locate the target extension NIC and click **Remove** in the **Operation** column to remove the NIC from the current security group. + The **Associated Instances** tab is displayed. -#. Click **Yes**. +#. Click an instance type. -**Removing multiple instances from a security group** + The following operations use **Servers** as an example. -- Select multiple servers and click **Remove** above the server list to remove the selected servers from the current security group all at once. -- Select multiple extension NICs and click **Remove** above the extension NIC list to remove the selected extension NICs from the current security group all at once. +#. Click the **Servers** tab, select one or more servers, and click **Remove** in the upper left corner of the server list. + + A confirmation dialog box is displayed. + +#. Confirm the information and click **Yes**. Follow-Up Operations -------------------- diff --git a/umn/source/access_control/security_group/changing_the_security_group_of_an_ecs.rst b/umn/source/access_control/security_group/changing_the_security_group_of_an_ecs.rst index c4312b2..4467f82 100644 --- a/umn/source/access_control/security_group/changing_the_security_group_of_an_ecs.rst +++ b/umn/source/access_control/security_group/changing_the_security_group_of_an_ecs.rst @@ -24,7 +24,7 @@ Procedure The **Change Security Group** dialog box is displayed. - .. figure:: /_static/images/en-us_image_0122999741.png + .. figure:: /_static/images/en-us_image_0162733894.png :alt: **Figure 1** Change Security Group **Figure 1** Change Security Group diff --git a/umn/source/access_control/security_group/cloning_a_security_group.rst b/umn/source/access_control/security_group/cloning_a_security_group.rst index 8ee8853..5248029 100644 --- a/umn/source/access_control/security_group/cloning_a_security_group.rst +++ b/umn/source/access_control/security_group/cloning_a_security_group.rst @@ -43,9 +43,11 @@ Procedure #. In the navigation pane on the left, choose **Access Control** > **Security Groups**. -#. On the **Security Groups** page, locate the row that contains the target security group and choose **More** > **Clone** in the **Operation** column. + The security group list is displayed. -#. Set required parameters as prompted. +#. Locate the row that contains the security group, click **More** in the **Operation** column, and click **Clone**. + +#. Select the region and name of the new security group as prompted. .. figure:: /_static/images/en-us_image_0000001602035305.png @@ -53,7 +55,9 @@ Procedure **Figure 1** Clone Security Group -#. Click **OK**. You can then switch to the required region to view the cloned security group in the security group list. +#. Click **OK**. + + You can then switch to the required region to view the cloned security group in the security group list. .. |image1| image:: /_static/images/en-us_image_0141273034.png .. |image2| image:: /_static/images/en-us_image_0000001675373901.png diff --git a/umn/source/access_control/security_group/creating_a_security_group.rst b/umn/source/access_control/security_group/creating_a_security_group.rst index 9cf64c3..e6844a6 100644 --- a/umn/source/access_control/security_group/creating_a_security_group.rst +++ b/umn/source/access_control/security_group/creating_a_security_group.rst @@ -10,14 +10,16 @@ Scenarios A security group is a collection of access control rules to control the traffic that is allowed to reach and leave the cloud resources that it is associated with. The cloud resources can be cloud servers, containers, databases, and more. Cloud resources associated with the same security group have the same security requirements and are mutually trusted within a VPC. A security group consists of inbound and outbound rules. -When creating instances that require security groups, you are advised to allocate instances with different Internet access requirements to different security groups. +If your instances have different Internet access requirements, you can allocate them to different security groups when creating them. + +Each ECS must be associated with at least one security group. If you do not have a security group when creating an ECS, the system provides a default security group. Notes and Constraints --------------------- -If you have not created any security group, the system automatically creates a default security group for you and associates it with the instance (such as an ECS) when you create it. +If you have not created any security groups yet, the system automatically creates a default security group for you and associates it with the instance (such as an ECS) when you create it. -The default security group name is **default**. For details, see :ref:`Default Security Group `. +The default security group name is **default**. For details, see :ref:`Default Security Group and Its Rules `. Procedure --------- diff --git a/umn/source/access_control/security_group/default_security_group.rst b/umn/source/access_control/security_group/default_security_group_and_its_rules.rst similarity index 67% rename from umn/source/access_control/security_group/default_security_group.rst rename to umn/source/access_control/security_group/default_security_group_and_its_rules.rst index 2c21b13..dc6f8da 100644 --- a/umn/source/access_control/security_group/default_security_group.rst +++ b/umn/source/access_control/security_group/default_security_group_and_its_rules.rst @@ -2,13 +2,13 @@ .. _SecurityGroup_0003: -Default Security Group -====================== +Default Security Group and Its Rules +==================================== -The system creates a default security group for each account. By default, the default security group rules: +If you have not created any security group, the system automatically creates a default security group for you and associates it with the instance (such as an ECS) when you create it. A default security group has the following rules: -- Allow all outbound packets: Instances in the default security group can send requests to and receive responses from instances in other security groups. -- Deny all inbound packets: Requests from instances in other security groups will be denied by the default security group. +- Inbound rules control incoming traffic to instances in a security group. Only instances in the same security group can communicate with each other, and all inbound requests are denied. +- Outbound rules allow all outbound traffic and response traffic to the outbound requests. .. figure:: /_static/images/en-us_image_0000001230120807.png @@ -18,8 +18,8 @@ The system creates a default security group for each account. By default, the de .. note:: - - You cannot delete the default security group, but you can modify the rules for the default security group. - - If two ECSs are in the same security group but in different VPCs, the ECSs cannot communicate with each other. To enable communications between the ECSs, use a VPC peering connection to connect the two VPCs. + - You cannot delete the default security group, but you can modify existing rules or add rules to the group. + - The default security group is automatically created to simplify the process of creating an instance for the first time. The default security group denies all external requests. To log in to an instance, add a security group rule by referring to :ref:`Remotely Logging In to an ECS from a Local Server `. :ref:`Table 1 ` describes the default rules for the default security group. diff --git a/umn/source/access_control/security_group/deleting_a_security_group_rule.rst b/umn/source/access_control/security_group/deleting_a_security_group_rule.rst index c2bf3f7..251fdfd 100644 --- a/umn/source/access_control/security_group/deleting_a_security_group_rule.rst +++ b/umn/source/access_control/security_group/deleting_a_security_group_rule.rst @@ -8,15 +8,15 @@ Deleting a Security Group Rule Scenarios --------- -If the source of an inbound security group rule or destination of an outbound security group rule needs to be changed, you need to first delete the security group rule and add a new one. +If your security group rule is no longer required, you can delete it. Notes and Constraints --------------------- Security group rules use whitelists. Deleting a security group rule may result in ECS access failures. Security group rules work as follows: -- If an inbound request matches the source in an inbound security group rule with **Action** set to **Allow**, the request is allowed. -- If the destination of an outbound security group rule with **Action** set to **Allow** is 0.0.0.0/0, all outbound requests are allowed. +- Inbound rule: If an inbound request matches the source in an inbound security group rule with **Action** set to **Allow**, the request is allowed. +- Outbound rule: If the destination of an outbound security group rule with **Action** set to **Allow** is 0.0.0.0/0, all outbound requests are allowed. Procedure --------- @@ -31,15 +31,22 @@ Procedure 4. In the navigation pane on the left, choose **Access Control** > **Security Groups**. -5. On the **Security Groups** page, click the security group name. + The security group list is displayed. -6. If you do not need a security group rule, locate the row that contains the target rule, and click **Delete**. +5. In the security group list, click the name of the security group. -7. Click **Yes** in the displayed dialog box. + The security group details page is displayed. -**Deleting multiple security group rules at once** +6. Click the **Inbound Rules** or **Outbound Rules** tab as required. -You can also select multiple security group rules and click **Delete** above the security group rule list to delete multiple rules at a time. + The security group rule list is displayed. + +7. In the security group rule list: + + - To delete a single security group rule, locate the row that contains the rule and click **Delete** in the **Operation** column. + - To delete multiple security group rules, select multiple security group rules and click **Delete** in the upper left corner of the rule list. + +8. Click **Yes**. .. |image1| image:: /_static/images/en-us_image_0141273034.png .. |image2| image:: /_static/images/en-us_image_0000001675413825.png diff --git a/umn/source/access_control/security_group/fast-adding_security_group_rules.rst b/umn/source/access_control/security_group/fast-adding_security_group_rules.rst index c6aba0f..7928959 100644 --- a/umn/source/access_control/security_group/fast-adding_security_group_rules.rst +++ b/umn/source/access_control/security_group/fast-adding_security_group_rules.rst @@ -52,6 +52,11 @@ Procedure | | - Web services | | | | - Databases | | +-----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Type | Source IP address version. You can select: | IPv4 | + | | | | + | | - IPv4 | | + | | - IPv6 | | + +-----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ | Source | Source of the security group rule. The value can be an IP address or a security group to allow access from IP addresses or instances in the security group. You can specify: | 0.0.0.0/0 | | | | | | | - xxx.xxx.xxx.xxx/32 (IPv4 address) | | @@ -93,6 +98,11 @@ Procedure | | - Web services | | | | - Databases | | +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Type | Source IP address version. You can select: | IPv4 | + | | | | + | | - IPv4 | | + | | - IPv6 | | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ | Destination | Destination of the security group rule. The value can be an IP address or a security group to allow access to IP addresses or instances in the security group. You can specify: | 0.0.0.0/0 | | | | | | | - xxx.xxx.xxx.xxx/32 (IPv4 address) | | diff --git a/umn/source/access_control/security_group/importing_and_exporting_security_group_rules.rst b/umn/source/access_control/security_group/importing_and_exporting_security_group_rules.rst index 7ed7858..3a8afd2 100644 --- a/umn/source/access_control/security_group/importing_and_exporting_security_group_rules.rst +++ b/umn/source/access_control/security_group/importing_and_exporting_security_group_rules.rst @@ -18,7 +18,7 @@ Notes and Constraints --------------------- - The security group rules to be imported must be configured based on the template. Do not add parameters or change existing parameters. Otherwise, the import will fail. -- If a security group rule to be imported is the same as an existing one, the security group rule cannot be imported. You can delete the rule and try again. +- Duplicate rules are not allowed, you can delete the rule and try again. Procedure --------- @@ -61,13 +61,9 @@ Procedure +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------+ | Protocol & Port | The network protocol used to match traffic in a security group rule. | TCP | | | | | - | | Currently, the value can be **All**, **TCP**, **UDP**, or **ICMP**, or others. | | + | | Currently, the value can be **All**, **TCP**, **UDP**, **GRE**, **ICMP**, or more. | | +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------+ - | | Destination port used to match traffic in a security group rule. The value can be from 1 to 65535. | 22, or 22-30 | - | | | | - | | Inbound rules control incoming traffic over specific ports to instances in the security group. | | - | | | | - | | Outbound rules control outgoing traffic over specific ports from instances in the security group. | | + | | **Port**: The port or port range over which traffic can reach your ECS. The value can be from 1 to 65535. | 22, or 22-30 | +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------+ | Source | Source of the security group rule. The value can be an IP address or a security group to allow access from IP addresses or instances in the security group. For example: | sg-test[96a8a93f-XXX-d7872990c314] | | | | | diff --git a/umn/source/access_control/security_group/index.rst b/umn/source/access_control/security_group/index.rst index 3e3e3df..d3a2872 100644 --- a/umn/source/access_control/security_group/index.rst +++ b/umn/source/access_control/security_group/index.rst @@ -6,7 +6,7 @@ Security Group ============== - :ref:`Security Groups and Security Group Rules ` -- :ref:`Default Security Group ` +- :ref:`Default Security Group and Its Rules ` - :ref:`Security Group Configuration Examples ` - :ref:`Creating a Security Group ` - :ref:`Cloning a Security Group ` @@ -27,7 +27,7 @@ Security Group :hidden: security_groups_and_security_group_rules - default_security_group + default_security_group_and_its_rules security_group_configuration_examples creating_a_security_group cloning_a_security_group diff --git a/umn/source/access_control/security_group/modifying_a_security_group.rst b/umn/source/access_control/security_group/modifying_a_security_group.rst index 10d4e44..5a6798e 100644 --- a/umn/source/access_control/security_group/modifying_a_security_group.rst +++ b/umn/source/access_control/security_group/modifying_a_security_group.rst @@ -8,13 +8,11 @@ Modifying a Security Group **Scenarios** ------------- -Modify the name and description of a created security group. +After a security group is created, you can change its name and description. Procedure --------- -**Method 1** - #. Log in to the management console. #. Click |image1| in the upper left corner and select the desired region and project. @@ -25,37 +23,15 @@ Procedure #. In the navigation pane on the left, choose **Access Control** > **Security Groups**. -#. On the **Security Groups** page, locate the target security group and choose **More** > **Modify** in the **Operation** column. + The security group list is displayed. + +#. Locate the row that contains the security group, click **More** in the **Operation** column, and click **Modify**. + + The **Modify Security Group** dialog box is displayed. #. Modify the name and description of the security group as required. -#. Click **OK**. - -**Method 2** - -#. Log in to the management console. - -#. Click |image3| in the upper left corner and select the desired region and project. - -#. Click |image4| in the upper left corner and choose **Network** > **Virtual Private Cloud**. - - The **Virtual Private Cloud** page is displayed. - -#. In the navigation pane on the left, choose **Access Control** > **Security Groups**. - -#. On the **Security Groups** page, click the security group name. - -#. On the displayed page, click |image5| on the right of **Name** and edit the security group name. - -#. Click **Y** to save the security group name. - -#. Click |image6| on the right of **Description** and edit the security group description. - -#. Click **Y** to save the security group description. +#. Click **OK** to save the modification. .. |image1| image:: /_static/images/en-us_image_0141273034.png .. |image2| image:: /_static/images/en-us_image_0000001626894086.png -.. |image3| image:: /_static/images/en-us_image_0141273034.png -.. |image4| image:: /_static/images/en-us_image_0000001675613933.png -.. |image5| image:: /_static/images/en-us_image_0239476777.png -.. |image6| image:: /_static/images/en-us_image_0239476777.png diff --git a/umn/source/access_control/security_group/modifying_a_security_group_rule.rst b/umn/source/access_control/security_group/modifying_a_security_group_rule.rst index 78a8156..ffc6be5 100644 --- a/umn/source/access_control/security_group/modifying_a_security_group_rule.rst +++ b/umn/source/access_control/security_group/modifying_a_security_group_rule.rst @@ -23,11 +23,19 @@ Procedure #. In the navigation pane on the left, choose **Access Control** > **Security Groups**. -#. On the **Security Groups** page, click the security group name. + The security group list is displayed. -#. On the displayed page, locate the row that contains the security group rule to be modified, and click **Modify** in the **Operation** column. +#. In the security group list, click the name of the security group. -#. Modify the rule and click **Confirm**. + The security group details page is displayed. + +#. Click the **Inbound Rules** or **Outbound Rules** tab as required. + + The security group rule list is displayed. + +#. Locate the row that contains the rule and click **Modify** in the **Operation** column. + +#. Modify the security group rule information as prompted and click **Confirm**. .. |image1| image:: /_static/images/en-us_image_0141273034.png .. |image2| image:: /_static/images/en-us_image_0000001675613937.png diff --git a/umn/source/access_control/security_group/replicating_a_security_group_rule.rst b/umn/source/access_control/security_group/replicating_a_security_group_rule.rst index baa8998..4559c3a 100644 --- a/umn/source/access_control/security_group/replicating_a_security_group_rule.rst +++ b/umn/source/access_control/security_group/replicating_a_security_group_rule.rst @@ -8,7 +8,7 @@ Replicating a Security Group Rule **Scenarios** ------------- -Replicate an existing security group rule to generate a new rule. When replicating a security group rule, you can make changes so that it is not a perfect copy. +You can replicate an existing security group rule and modify it to quickly generate a new rule. Procedure --------- @@ -21,15 +21,19 @@ Procedure The **Virtual Private Cloud** page is displayed. -#. In the navigation pane on the left, choose **Access Control** > **Security Groups**. +#. In the security group list, click the name of the security group. -#. On the **Security Groups** page, click the security group name. + The security group details page is displayed. -#. On the displayed page, locate the row that contains the security group rule to be replicated, and click **Replicate** in the **Operation** column. +#. Click the **Inbound Rules** or **Outbound Rules** tab as required. - You can also modify the security group rule as required to quickly generate a new rule. + The security group rule list is displayed. -#. Click **OK**. +#. Locate the row that contains the rule and click **Replicate** in the **Operation** column. + + The **Replicate Inbound Rule** dialog box is displayed. + +#. Modify the security group rule information as prompted and click **OK**. .. |image1| image:: /_static/images/en-us_image_0141273034.png .. |image2| image:: /_static/images/en-us_image_0000001626894090.png diff --git a/umn/source/access_control/security_group/security_group_configuration_examples.rst b/umn/source/access_control/security_group/security_group_configuration_examples.rst index 628c72b..916f963 100644 --- a/umn/source/access_control/security_group/security_group_configuration_examples.rst +++ b/umn/source/access_control/security_group/security_group_configuration_examples.rst @@ -5,195 +5,197 @@ Security Group Configuration Examples ===================================== -Common security group configurations are presented here. The examples in this section allow all outgoing data packets by default. This section will only describe how to configure inbound rules. +Here are some common security group configuration examples for different scenarios, including remote login to ECSs, website access, and internal communication between instances in different security groups. -- .. _en-us_topic_0081124350__li2921164192410: +Generally, a security group denies all external requests by default. You need to add inbound rules to a security group based on the whitelist principle to allow specific external requests to access instances in the security group. - :ref:`Allowing External Access to a Specified Port ` +- :ref:`Remotely Logging In to an ECS from a Local Server ` +- :ref:`Remotely Connecting to an ECS from a Local Server to Upload or Download Files ` +- :ref:`Setting Up a Website on an ECS to Provide Services Externally ` +- :ref:`Using ping Command to Verify Network Connectivity ` +- :ref:`Enabling ECSs In Different Security Groups to Communicate Through an Internal Network ` +- :ref:`ECS Providing Database Access Service ` +- :ref:`Allowing ECSs to Access Only Specific External Websites ` -- :ref:`Enabling ECSs in Different Security Groups to Communicate with Each Other Through an Internal Network ` +By default, all outbound rules of a security group allow all requests from instances in the security group to access external networks. :ref:`Table 1 ` lists the rules. -- :ref:`Enabling Specified IP Addresses to Remotely Access ECSs in a Security Group ` +.. _en-us_topic_0081124350__table102261597217: -- :ref:`Remotely Connecting to Linux ECSs Using SSH ` +.. table:: **Table 1** Default outbound rules in a security group -- :ref:`Remotely Connecting to Windows ECSs Using RDP ` + +-----------+------+-----------------+-------------+-------------------------------------------------------------------------------------------------+ + | Direction | Type | Protocol & Port | Destination | Description | + +===========+======+=================+=============+=================================================================================================+ + | Outbound | IPv4 | All | 0.0.0.0/0 | This rule allows access from instances in the security group to any IPv4 address over any port. | + +-----------+------+-----------------+-------------+-------------------------------------------------------------------------------------------------+ + | Outbound | IPv6 | All | ::/0 | This rule allows access from instances in the security group to any IPv6 address over any port. | + +-----------+------+-----------------+-------------+-------------------------------------------------------------------------------------------------+ -- :ref:`Enabling Communication Between ECSs ` +.. _en-us_topic_0081124350__section14933617154810: -- :ref:`Hosting a Website on ECSs ` +Remotely Logging In to an ECS from a Local Server +------------------------------------------------- -- :ref:`Enabling an ECS to Function as a DNS Server ` +A security group denies all external requests by default. To remotely log in to an ECS from a local server, add an inbound security group rule based on the OS running on the ECS. -- :ref:`Uploading or Downloading Files Using FTP ` +- To remotely log in to a Linux ECS using SSH, enable the SSH (22) port. For details, see :ref:`Table 2 `. -You can use the default security group or create a security group in advance. For details, see sections :ref:`Creating a Security Group ` and :ref:`Adding a Security Group Rule `. +- To remotely log in to a Windows ECS using RDP, enable the RDP (3389) port. For details, see :ref:`Table 3 `. -Allowing External Access to a Specified Port --------------------------------------------- + .. _en-us_topic_0081124350__table20321112045011: -- Example scenario: + .. table:: **Table 2** Remotely logging in to a Linux ECS using SSH - After services are deployed, you can add security group rules to allow external access to a specified port (for example, 1100). + ========= ==== =============== ===================== + Direction Type Protocol & Port Source + ========= ==== =============== ===================== + Inbound IPv4 TCP: 22 IP address: 0.0.0.0/0 + ========= ==== =============== ===================== -- Security group rule: + .. _en-us_topic_0081124350__table1579314381815: - ========= ======== ==== ========= - Direction Protocol Port Source - ========= ======== ==== ========= - Inbound TCP 1100 0.0.0.0/0 - ========= ======== ==== ========= + .. table:: **Table 3** Remotely logging in to a Windows ECS using RDP -.. _en-us_topic_0081124350__section14197522283: + ========= ==== =============== ===================== + Direction Type Protocol & Port Source + ========= ==== =============== ===================== + Inbound IPv4 TCP: 3389 IP address: 0.0.0.0/0 + ========= ==== =============== ===================== -Enabling ECSs in Different Security Groups to Communicate with Each Other Through an Internal Network ------------------------------------------------------------------------------------------------------ + .. important:: -- Example scenario: + If the source is set to 0.0.0.0/0, remotely logging in to the ECS through any IP address is allowed. To ensure security, set the source to a specific IP address based on service requirements. For details about the configuration example, see :ref:`Table 4 `. - Resources on an ECS in a security group need to be copied to an ECS associated with another security group. The two ECSs are in the same VPC. We recommend that you enable private network communication between the ECSs and then copy the resources. + .. _en-us_topic_0081124350__table1919016251434: -- Security group configuration: + .. table:: **Table 4** Remotely logging in to an ECS using a specified IP address - Within a given VPC, ECSs in the same security group can communicate with one another by default. However, ECSs in different security groups cannot communicate with each other by default. To enable these ECSs to communicate with each other, you need to add certain security group rules. + =========== ========= ==== =============== ========================== + ECS Type Direction Type Protocol & Port Source + =========== ========= ==== =============== ========================== + Linux ECS Inbound IPv4 TCP: 22 IP address: 192.168.0.0/24 + Windows ECS Inbound IPv4 TCP: 3389 IP address: 10.10.0.0/24 + =========== ========= ==== =============== ========================== - You can add an inbound rule to the security groups containing the ECSs to allow access from ECSs in the other security group. The required rule is as follows. +.. _en-us_topic_0081124350__section8685162114185: - +-----------------+--------------------------------------------------------------------------+-----------------+------------------------------------+ - | Direction | Protocol | Port | Source | - +=================+==========================================================================+=================+====================================+ - | Inbound | TCP | All | ID of another security group | - | | | | | - | | .. note:: | | Example: 014d7278-XXX-530c95350d43 | - | | | | | - | | Select a protocol used for communication through an internal network. | | | - +-----------------+--------------------------------------------------------------------------+-----------------+------------------------------------+ +Remotely Connecting to an ECS from a Local Server to Upload or Download Files +----------------------------------------------------------------------------- -.. _en-us_topic_0081124350__section17693183118306: +By default, a security group denies all external requests. If you need to remotely connect to an ECS from a local server to upload or download files, you need to enable FTP ports 20 and 21. -Enabling Specified IP Addresses to Remotely Access ECSs in a Security Group ---------------------------------------------------------------------------- +.. table:: **Table 5** Remotely connecting to an ECS from a local server to upload or download files -- Example scenario: + ========= ==== =============== ===================== + Direction Type Protocol & Port Source + ========= ==== =============== ===================== + Inbound IPv4 TCP: 20-21 IP address: 0.0.0.0/0 + ========= ==== =============== ===================== - To prevent ECSs from being attacked, you can change the port for remote login and configure security group rules that allow only specified IP addresses to remotely access the ECSs. +.. important:: -- Security group configuration: + You must first install the FTP server program on the ECSs and check whether ports 20 and 21 are working properly. - To allow IP address **192.168.20.2** to remotely access Linux ECSs in a security group over the SSH protocol (port 22), you can configure the following security group rule. +.. _en-us_topic_0081124350__section316061115481: - +-----------------+-----------------+-----------------+-------------------------------------------------+ - | Direction | Protocol | Port | Source | - +=================+=================+=================+=================================================+ - | Inbound | SSH | 22 | IPv4 CIDR block or ID of another security group | - | | | | | - | | | | For example, 192.168.20.2/32 | - +-----------------+-----------------+-----------------+-------------------------------------------------+ +Setting Up a Website on an ECS to Provide Services Externally +------------------------------------------------------------- -.. _en-us_topic_0081124350__section115069253338: +A security group denies all external requests by default. If you have set up a website on an ECS that can be accessed externally, you need to add an inbound rule to the ECS security group to allow access over specific ports, such as HTTP (80) and HTTPS (443). -Remotely Connecting to Linux ECSs Using SSH -------------------------------------------- +.. table:: **Table 6** Setting up a website on an ECS to provide services externally -- Example scenario: + ========= ==== =============== ===================== + Direction Type Protocol & Port Source + ========= ==== =============== ===================== + Inbound IPv4 TCP: 80 IP address: 0.0.0.0/0 + Inbound IPv4 TCP: 443 IP address: 0.0.0.0/0 + ========= ==== =============== ===================== - After creating Linux ECSs, you can add a security group rule to enable remote SSH access to the ECSs. +.. _en-us_topic_0081124350__section29561427142511: -- Security group rule: +Using **ping** Command to Verify Network Connectivity +----------------------------------------------------- - ========= ======== ==== ========= - Direction Protocol Port Source - ========= ======== ==== ========= - Inbound SSH 22 0.0.0.0/0 - ========= ======== ==== ========= +By default, a security group denies all external requests. If you need to run the **ping** command on an ECS to verify network connectivity, add an inbound rule to the ECS security group to allow access over the ICMP port. -.. _en-us_topic_0081124350__section168046312349: +.. table:: **Table 7** Using **ping** command to verify network connectivity -Remotely Connecting to Windows ECSs Using RDP ---------------------------------------------- + ========= ==== =============== ===================== + Direction Type Protocol & Port Source + ========= ==== =============== ===================== + Inbound IPv4 ICMP: All IP address: 0.0.0.0/0 + Inbound IPv6 ICMP: All IP address: ::/0 + ========= ==== =============== ===================== -- Example scenario: +.. _en-us_topic_0081124350__section094514632817: - After creating Windows ECSs, you can add a security group rule to enable remote RDP access to the ECSs. +Enabling ECSs In Different Security Groups to Communicate Through an Internal Network +------------------------------------------------------------------------------------- -- Security group rule: +ECSs in the same VPC but associated with different security groups cannot communicate with each other. If you want to share data between ECSs in a VPC, for example, ECSs in security group sg-A need to access MySQL databases in security group sg-B, you need to add an inbound rule to security group sg-B to allow access from ECSs in security group sg-A over MySQL port 3306. - ========= ======== ==== ========= - Direction Protocol Port Source - ========= ======== ==== ========= - Inbound RDP 3389 0.0.0.0/0 - ========= ======== ==== ========= +.. table:: **Table 8** Enabling instances in different security groups to communicate through an internal network -.. _en-us_topic_0081124350__section34721049193411: + ========= ==== =============== ==================== + Direction Type Protocol & Port Source + ========= ==== =============== ==================== + Inbound IPv4 TCP: 3306 Security group: sg-A + ========= ==== =============== ==================== -Enabling Communication Between ECSs ------------------------------------ +.. _en-us_topic_0081124350__section7465183583515: -- Example scenario: +ECS Providing Database Access Service +------------------------------------- - After creating ECSs, you need to add a security group rule so that you can run the **ping** command to test communication between the ECSs. +A security group denies all external requests by default. If you have deployed the database service on an ECS and need to allow other ECSs to access the database service through an internal network, you need to add an inbound rule to the security group of the ECS with the database service deployed to allow access over ports, for example, MySQL (3306), Oracle (1521), MS SQL (1433), PostgreSQL (5432) and Redis (6379). -- Security group rule: +.. table:: **Table 9** ECS providing database access service - ========= ======== ==== ========= - Direction Protocol Port Source - ========= ======== ==== ========= - Inbound ICMP All 0.0.0.0/0 - ========= ======== ==== ========= + +-----------+------+-----------------+----------------------------+-------------------------------------------------------------------------------------------------------------------------------+ + | Direction | Type | Protocol & Port | Source | Description | + +===========+======+=================+============================+===============================================================================================================================+ + | Inbound | IPv4 | TCP: 3306 | Security group: sg-A | This rule allows ECSs in security group sg-A to access the MySQL database service. | + +-----------+------+-----------------+----------------------------+-------------------------------------------------------------------------------------------------------------------------------+ + | Inbound | IPv4 | TCP: 1521 | Security group: sg-B | This rule allows ECSs in security group sg-B to access the Oracle database service. | + +-----------+------+-----------------+----------------------------+-------------------------------------------------------------------------------------------------------------------------------+ + | Inbound | IPv4 | TCP: 1433 | IP address: 172.16.3.21/32 | This rule allows the ECS whose private IP address is 172.16.3.21 to access the MS SQL database service. | + +-----------+------+-----------------+----------------------------+-------------------------------------------------------------------------------------------------------------------------------+ + | Inbound | IPv4 | TCP: 5432 | IP address: 192.168.0.0/24 | This rule allows ECSs whose private IP addresses are in the 192.168.0.0/24 network to access the PostgreSQL database service. | + +-----------+------+-----------------+----------------------------+-------------------------------------------------------------------------------------------------------------------------------+ -.. _en-us_topic_0081124350__section1517991516357: +.. important:: -Hosting a Website on ECSs -------------------------- + In this example, the source is for reference only. Set the source address based on actual requirements. -- Example scenario: +.. _en-us_topic_0081124350__section949023514612: - If you deploy a website on your ECSs and require that your website be accessed over HTTP or HTTPS, you can add rules to the security group used by the ECSs that function as the web servers. +Allowing ECSs to Access Only Specific External Websites +------------------------------------------------------- -- Security group rule: +By default, a security group allows all outbound traffic. :ref:`Table 11 ` lists the default rules. If you want to allow ECSs to access only specific websites, configure the security groups of the ECSs as follows: - ========= ======== ==== ========= - Direction Protocol Port Source - ========= ======== ==== ========= - Inbound HTTP 80 0.0.0.0/0 - Inbound HTTPS 443 0.0.0.0/0 - ========= ======== ==== ========= +#. First, add outbound rules to allow traffic over specific ports and to specific IP addresses. -.. _en-us_topic_0081124350__section2910346123520: + .. table:: **Table 10** Enabling instances in different security groups to communicate through an internal network -Enabling an ECS to Function as a DNS Server -------------------------------------------- + ========= ==== =============== ========================= + Direction Type Protocol & Port Source + ========= ==== =============== ========================= + Outbound IPv4 TCP: 80 IP address: 132.15.XX.XX + Outbound IPv4 TCP: 443 IP address: 145.117.XX.XX + ========= ==== =============== ========================= -- Example scenario: +#. Then, delete the original outbound rules that allow all traffic shown in :ref:`Table 11 `. - If you need to use an ECS as a DNS server, you must allow TCP and UDP access from port 53 to the DNS server. You can add the following rules to the security group associated with the ECS. + .. _en-us_topic_0081124350__table5759161135518: -- Security group rules: + .. table:: **Table 11** Default outbound rules in a security group - ========= ======== ==== ========= - Direction Protocol Port Source - ========= ======== ==== ========= - Inbound TCP 53 0.0.0.0/0 - Inbound UDP 53 0.0.0.0/0 - ========= ======== ==== ========= - -.. _en-us_topic_0081124350__section5964121693610: - -Uploading or Downloading Files Using FTP ----------------------------------------- - -- Example scenario: - - If you want to use File Transfer Protocol (FTP) to upload files to or download files from ECSs, you need to add a security group rule. - - .. note:: - - You must first install the FTP server program on the ECSs and check whether ports 20 and 21 are working properly. - -- Security group rule: - - ========= ======== ===== ========= - Direction Protocol Port Source - ========= ======== ===== ========= - Inbound TCP 20-21 0.0.0.0/0 - ========= ======== ===== ========= + +-----------+------+-----------------+-------------+-------------------------------------------------------------------------------------------------+ + | Direction | Type | Protocol & Port | Destination | Description | + +===========+======+=================+=============+=================================================================================================+ + | Outbound | IPv4 | All | 0.0.0.0/0 | This rule allows access from instances in the security group to any IPv4 address over any port. | + +-----------+------+-----------------+-------------+-------------------------------------------------------------------------------------------------+ + | Outbound | IPv6 | All | ::/0 | This rule allows access from instances in the security group to any IPv6 address over any port. | + +-----------+------+-----------------+-------------+-------------------------------------------------------------------------------------------------+ diff --git a/umn/source/access_control/security_group/security_groups_and_security_group_rules.rst b/umn/source/access_control/security_group/security_groups_and_security_group_rules.rst index a0ea7af..1879e47 100644 --- a/umn/source/access_control/security_group/security_groups_and_security_group_rules.rst +++ b/umn/source/access_control/security_group/security_groups_and_security_group_rules.rst @@ -10,7 +10,7 @@ Security Groups A security group is a collection of access control rules for cloud resources, such as cloud servers, containers, and databases, that have the same security protection requirements and that are mutually trusted. After a security group is created, you can create various access rules for the security group, these rules will apply to all cloud resources added to this security group. -If you have not created any security group, the system automatically creates a default security group for you and associates it with the instance (such as an ECS) when you create it. For details about the default security group, see :ref:`Default Security Group `. +If you have not created any security group yet, the system automatically creates a default security group for you and associates it with the instance (such as an ECS) when you create it. For details about the default security group, see :ref:`Default Security Group and Its Rules `. Security groups are stateful. If you send a request from your instance and the outbound traffic is allowed, the response traffic for that request is allowed to flow in regardless of inbound security group rules. Similarly, if inbound traffic is allowed, responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules. @@ -29,66 +29,80 @@ A security group has inbound and outbound rules to control traffic that's allowe .. table:: **Table 1** Security group rule information - +-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Parameter | Description | - +===================================+=========================================================================================================================================================================================================================================================================================================================================================================================+ - | Protocol | The network protocol used to match traffic in a security group rule. Currently, the value can be **All**, **TCP**, **UDP**, or **ICMP**, or others. | - +-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Port | Destination port used to match traffic in a security group rule. The value can be from 1 to 65535. | - | | | - | | - Inbound rules control incoming traffic over specific ports to instances in the security group. | - | | - Outbound rules control outgoing traffic over specific ports from instances in the security group. | - +-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Source (Inbound) | The source in an inbound rule is used to match the IP address or address range of an external request. The source can be: | - | | | - | | - IP address: | - | | | - | | - Example IPv4 address: 192.168.10.10/32 | - | | - Example IPv4 address range: 192.168.52.0/24 All IPv4 addresses: 0.0.0.0/0 | - | | | - | | - Security group: You can select another security group in the same region under the current account as the source. For example, instance A is in security group A and instance B is in security group B. If security group A has an inbound rule with **Action** set to **Allow** and **Source** set to security group B, access from instance B is allowed to instance A. | - +-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Destination (Outbound) | The destination in an outbound rule is used to match the IP address or address range of an internal request. The destination can be: | - | | | - | | - IP address: | - | | | - | | - Example IPv4 address: 192.168.10.10/32 | - | | - Example IPv4 address range: 192.168.52.0/24 All IPv4 addresses: 0.0.0.0/0 | - | | | - | | - Security group: You can select another security group in the same region under the current account as the destination. For example, instance A is in security group A and instance B is in security group B. If security group A has an outbound rule with **Action** set to **Allow** and **Destination** set to security group B, access from instance A is allowed to instance B. | - +-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Parameter | Description | + +===================================+========================================================================================================================================================================================================================+ + | Protocol | The network protocol used to match traffic in a security group rule. Currently, the value can be **All**, **TCP**, **UDP**, **GRE**, **ICMP**, or more. | + +-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Port | Destination port used to match traffic in a security group rule. The value can be from 1 to 65535. | + | | | + | | - Inbound rules control incoming traffic over specific ports to instances in the security group. | + | | - Outbound rules control outgoing traffic over specific ports from instances in the security group. | + +-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Source (Inbound) | The source in an inbound rule is used to match the IP address or address range of an external request. The source can be: | + | | | + | | - IP address: | + | | | + | | - Example IPv4 address: 192.168.10.10/32 | + | | - Example IPv6 address: 2002:50::44/128 | + | | - Example IPv4 address range: 192.168.52.0/24 All IPv4 addresses: 0.0.0.0/0 | + | | - Example IPv6 address range: 2407:c080:802:469::/64 All IPv6 addresses: ::/0 | + | | | + | | - Security group: You can select another security group in the same region under the current account as the source. | + | | | + | | For example, instance A is in security group A and instance B is in security group B. If security group A has a rule with **Source** set to security group B, access from instance B is allowed to instance A. | + +-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Destination (Outbound) | The destination in an outbound rule is used to match the IP address or address range of an internal request. The destination can be: | + | | | + | | - IP address: | + | | | + | | - Example IPv4 address: 192.168.10.10/32 | + | | - Example IPv6 address: 2002:50::44/128 | + | | - Example IPv4 address range: 192.168.52.0/24 All IPv4 addresses: 0.0.0.0/0 | + | | - Example IPv6 address range: 2407:c080:802:469::/64 All IPv6 addresses: ::/0 | + | | | + | | - Security group: You can select another security group in the same region under the current account as the destination. | + | | | + | | For example, instance A is in security group A and instance B is in security group B. If security group A has a rule with **Destination** set to security group B, access from instance A is allowed to instance B. | + +-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ Like whitelists, security group rules work as follows: -- Inbound rules control incoming traffic to instances in the security group. If an inbound request matches the source in an inbound security group rule with **Action** set to **Allow**, the request is allowed. +- Inbound rules control incoming traffic to instances in the security group. + + If an inbound request matches the source in an inbound security group rule, the request is allowed and other requests are denied. By default, you do not need to configure deny rules in the inbound direction because requests that do not match allow rules will be denied. -- Outbound rules control outgoing traffic from instances in the security group. If the destination of an outbound security group rule with **Action** set to **Allow** is 0.0.0.0/0, all outbound requests are allowed. +- Outbound rules control outgoing traffic from instances in the security group. + + If the destination of an outbound security group rule is 0.0.0.0/0, all outbound requests are allowed. 0.0.0.0/0 represents all IPv4 addresses. ::/0 represents all IPv6 addresses. -:ref:`Table 2 ` shows the inbound and outbound rules in security group sg-AB. +:ref:`Table 2 ` uses custom security group sg-AB as an example to describe its inbound and outbound rules in detail. .. _en-us_topic_0073379079__table102261597217: .. table:: **Table 2** Rules in security group sg-AB - +-----------+------+-----------------+------------------------+--------------------------------------------------------------------------------------------------------------------------------------+ - | Direction | Type | Protocol & Port | Source/Destination | Description | - +===========+======+=================+========================+======================================================================================================================================+ - | Inbound | IPv4 | All | Source: sg-AB | This rule allows ECSs in the security group to communicate with each other. | - +-----------+------+-----------------+------------------------+--------------------------------------------------------------------------------------------------------------------------------------+ - | Inbound | IPv4 | TCP: 22 | Source: 0.0.0.0/0 | This rule allows all IPv4 addresses to access ECSs in the security group over SSH port 22 for remotely logging in to Linux ECSs. | - +-----------+------+-----------------+------------------------+--------------------------------------------------------------------------------------------------------------------------------------+ - | Inbound | IPv4 | TCP: 3389 | Source: 0.0.0.0/0 | This rule allows all IPv4 addresses to access ECSs in the security group over RDP port 3389 for remotely logging in to Windows ECSs. | - +-----------+------+-----------------+------------------------+--------------------------------------------------------------------------------------------------------------------------------------+ - | Inbound | IPv4 | TCP: 80 | Source: 10.5.6.30/32 | This rule allows IP address 10.5.6.30 to access ECSs in the security group over port 80. | - +-----------+------+-----------------+------------------------+--------------------------------------------------------------------------------------------------------------------------------------+ - | Outbound | IPv4 | All | Destination: 0.0.0.0/0 | This rule allows access from ECSs in the security group to any IPv4 address over any port. | - +-----------+------+-----------------+------------------------+--------------------------------------------------------------------------------------------------------------------------------------+ + +-----------+------+-----------------+------------------------+------------------------------------------------------------------------------------------------------------------------------+ + | Direction | Type | Protocol & Port | Source/Destination | Description | + +===========+======+=================+========================+==============================================================================================================================+ + | Inbound | IPv4 | All | Source: sg-AB | Allows ECSs in the security group to communicate with each other. | + +-----------+------+-----------------+------------------------+------------------------------------------------------------------------------------------------------------------------------+ + | Inbound | IPv4 | TCP: 22 | Source: 0.0.0.0/0 | Allows all IPv4 addresses to access ECSs in the security group over port 22 (SSH) for remotely logging in to Linux ECSs. | + +-----------+------+-----------------+------------------------+------------------------------------------------------------------------------------------------------------------------------+ + | Inbound | IPv4 | TCP: 3389 | Source: 0.0.0.0/0 | Allows all IPv4 addresses to access ECSs in the security group over port 3389 (RDP) for remotely logging in to Windows ECSs. | + +-----------+------+-----------------+------------------------+------------------------------------------------------------------------------------------------------------------------------+ + | Inbound | IPv4 | TCP: 80 | Source: 10.5.6.30/32 | Allows IP address 10.5.6.30 to access ECSs in the security group over port 80. | + +-----------+------+-----------------+------------------------+------------------------------------------------------------------------------------------------------------------------------+ + | Outbound | IPv4 | All | Destination: 0.0.0.0/0 | Allows access from ECSs in the security group to any IPv4 address over any port. | + +-----------+------+-----------------+------------------------+------------------------------------------------------------------------------------------------------------------------------+ + | Outbound | IPv6 | All | Destination: ::/0 | Allows access from ECSs in the security group to any IPv6 address over any port. | + +-----------+------+-----------------+------------------------+------------------------------------------------------------------------------------------------------------------------------+ .. important:: @@ -104,4 +118,5 @@ Like whitelists, security group rules work as follows: Security Group Constraints -------------------------- +- By default, you can create a maximum of 100 security groups in your cloud account. - By default, you can add up to 50 security group rules to a security group. diff --git a/umn/source/change_history.rst b/umn/source/change_history.rst index 2ca19d8..de4e8b9 100644 --- a/umn/source/change_history.rst +++ b/umn/source/change_history.rst @@ -8,12 +8,54 @@ Change History +-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Released On | Description | +===================================+====================================================================================================================================================================================================================================================================================================================================+ +| 2023-10-10 | This release incorporates the following changes: | +| | | +| | - Added the figure for configuring route tables in :ref:`Route Table `. | +| | - Modified :ref:`Step 4: Add a Security Group Rule `. | +| | | +| | - Changed the location of parameter **Type**. | +| | - Added protocol **GRE**. | +| | | +| | - Modified :ref:`Step 5: Add a Security Group Rule ` and :ref:`Adding a Security Group Rule `. | +| | | +| | - Added description that each ECS must be associated with at least one security group. | +| | - Modified description about port. | +| | - Changed the location of parameter **Type**. | +| | - Added protocol **GRE**. | +| | | +| | - Added the function of adding multiple tags for search in :ref:`Managing VPC Tags `. | +| | - Added figures and modified steps in :ref:`Viewing and Deleting Resources in a Subnet `. | +| | - Modified :ref:`Security Groups and Security Group Rules `. | +| | | +| | - Added protocol **GRE** and deleted content about **Action**. | +| | - Modified description about security group sg-AB. | +| | - Added description about security group configuration. | +| | - Added support for IPv6. | +| | | +| | - Changed the section name in :ref:`Default Security Group and Its Rules `. | +| | - Optimized description in :ref:`Creating a Security Group `. | +| | - Modified the figure and added parameter **Type** in :ref:`Fast-Adding Security Group Rules `. | +| | - Modified notes and constraints in :ref:`Importing and Exporting Security Group Rules `. | +| | - Added description about the maximum number of security groups that can be created in :ref:`Creating a Firewall `. | +| | - Modified figures and parameter settings in :ref:`Adding a Firewall Rule `. | +| | - Added the route table quota in notes and constraints in :ref:`Creating a Custom Route Table `. | +| | - Added constraints on the maximum number of routes that can be added to a route table in :ref:`Adding a Custom Route `. | +| | - Modified :ref:`Creating a VPC Peering Connection with Another VPC in Your Account `. | +| | | +| | - Added description that you need to add routes to the route tables of the local and peer VPCs after creating a VPC peering connection. | +| | - Added parameter **Description** for creating a VPC peering connection. | +| | | +| | - Added parameter **Description** for creating a VPC peering connection in :ref:`Creating a VPC Peering Connection with a VPC in Another Account `. | +| | | +| | - Added description about the maximum number of flow log records that can be recorded in :ref:`VPC Flow Log Overview `. | +| | - Modified the section name and scenarios in :ref:`Disabling Source and Destination Check (HA Load Balancing Cluster Scenario) `. | +| | - Modified the verification procedure in :ref:`Creating a User and Granting VPC Permissions `. | ++-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | 2023-09-08 | This release incorporates the following changes: | | | | | | Updated the following content: | | | | | | - Optimized description in :ref:`Step 4: Add a Security Group Rule `. | -| | - Optimized description in :ref:`Creating a Security Group `. | | | - Optimized the procedure for verifying IAM permissions in :ref:`Creating a User and Granting VPC Permissions `. | +-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | 2023-07-18 | This release incorporates the following changes: | @@ -34,7 +76,7 @@ Change History +-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | 2023-05-26 | This release incorporates the following changes: | | | | -| | Added the following section: | +| | Added the following content: | | | | | | Added information about cloning a security group in :ref:`Cloning a Security Group `. | +-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ @@ -55,7 +97,7 @@ Change History | | Updated the following content: | | | | | | - Added description that BMS user-defined network is available only in eu-de. | -| | - Added the step for viewing NIC details to :ref:`Disabling Source/Destination Check for an ECS NIC `. | +| | - Added the step for viewing NIC details to :ref:`Disabling Source and Destination Check (HA Load Balancing Cluster Scenario) `. | +-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | 2023-02-15 | This release incorporates the following changes: | | | | @@ -248,14 +290,14 @@ Change History | | Modified the following content: | | | | | | - Modified description about **NTP Server Address** in :ref:`Modifying a Subnet `. | -| | - Modified description about replication in the "Default Route Table and Custom Route Table" part in :ref:`Route Table Overview `. | -| | - Modified descriptions about system routes and custom routes in :ref:`Route Table Overview `. | -| | - Modified description about usage restrictions in :ref:`Route Table Overview `. | +| | - Modified description about replication in the "Default Route Table and Custom Route Table" part in :ref:`Route Tables and Routes `. | +| | - Modified descriptions about system routes and custom routes in :ref:`Route Tables and Routes `. | +| | - Modified description about usage restrictions in :ref:`Route Tables and Routes `. | | | | | | Deleted the following content: | | | | | | - Deleted parameter **Enterprise Project** from the document. | -| | - Deleted the Cloud Connect service from the "Default Route Table and Custom Route Table" part in :ref:`Route Table Overview `. | +| | - Deleted the Cloud Connect service from the "Default Route Table and Custom Route Table" part in :ref:`Route Tables and Routes `. | +-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | 2019-08-02 | Added the following content based on the RM-584 requirements: | | | | diff --git a/umn/source/elastic_ip/unbinding_an_eip_from_an_ecs_and_releasing_the_eip.rst b/umn/source/elastic_ip/unbinding_an_eip_from_an_ecs_and_releasing_the_eip.rst index 6f403cf..2db8bb8 100644 --- a/umn/source/elastic_ip/unbinding_an_eip_from_an_ecs_and_releasing_the_eip.rst +++ b/umn/source/elastic_ip/unbinding_an_eip_from_an_ecs_and_releasing_the_eip.rst @@ -32,7 +32,7 @@ Procedure #. Log in to the management console. #. Click |image1| in the upper left corner and select the desired region and project. #. Click |image2| in the upper left corner and choose **Network** > **Elastic IP**. -#. On the displayed page, locate the row that contains the target EIP, and click **Unbind**. +#. On the displayed page, locate the row that contains the EIP, and click **Unbind**. #. Click **Yes** in the displayed dialog box. **Releasing a single EIP** diff --git a/umn/source/faq/bandwidth/what_bandwidth_types_are_available.rst b/umn/source/faq/bandwidth/what_bandwidth_types_are_available.rst index 7df0e75..96fc9bf 100644 --- a/umn/source/faq/bandwidth/what_bandwidth_types_are_available.rst +++ b/umn/source/faq/bandwidth/what_bandwidth_types_are_available.rst @@ -5,4 +5,4 @@ What Bandwidth Types Are Available? =================================== -There are dedicated bandwidth and shared bandwidth. A dedicated bandwidth can only be used by one EIP, but a shared bandwidth can be used by multiple EIPs. +There are dedicated bandwidths and shared bandwidths. A dedicated bandwidth can only be used by one EIP, but a shared bandwidth can be used by multiple EIPs. diff --git a/umn/source/faq/vpc_peering_connections/why_did_communication_fail_between_vpcs_that_were_connected_by_a_vpc_peering_connection.rst b/umn/source/faq/vpc_peering_connections/why_did_communication_fail_between_vpcs_that_were_connected_by_a_vpc_peering_connection.rst index 4db7cfd..3f105ce 100644 --- a/umn/source/faq/vpc_peering_connections/why_did_communication_fail_between_vpcs_that_were_connected_by_a_vpc_peering_connection.rst +++ b/umn/source/faq/vpc_peering_connections/why_did_communication_fail_between_vpcs_that_were_connected_by_a_vpc_peering_connection.rst @@ -137,7 +137,7 @@ Incorrect Network Configuration #. Check whether security group rules of the ECSs that need to communicate allow inbound traffic from each other by referring to :ref:`Viewing the Security Group of an ECS `. - If the ECSs are associated with the same security group, you do not need to check their rules. - - If the ECSs are associated with different security groups, add an inbound rule to allow access from each other by referring to :ref:`Enabling ECSs in Different Security Groups to Communicate with Each Other Through an Internal Network `. + - If the ECSs are associated with different security groups, add an inbound rule to allow access from each other by referring to :ref:`Security Group Configuration Examples `. #. Check whether the firewall of the ECS NIC blocks traffic. diff --git a/umn/source/faq/vpcs_and_subnets/which_cidr_blocks_are_available_for_the_vpc_service.rst b/umn/source/faq/vpcs_and_subnets/which_cidr_blocks_are_available_for_the_vpc_service.rst index 32287a9..6f067aa 100644 --- a/umn/source/faq/vpcs_and_subnets/which_cidr_blocks_are_available_for_the_vpc_service.rst +++ b/umn/source/faq/vpcs_and_subnets/which_cidr_blocks_are_available_for_the_vpc_service.rst @@ -10,14 +10,18 @@ The following table lists the private CIDR blocks that you can specify when crea - Number of IP addresses: Reserve sufficient IP addresses in case of business growth. - IP address range: Avoid IP address conflicts if you need to connect a VPC to an on-premises data center or connect two VPCs. -The VPC service supports the following CIDR blocks: +:ref:`Table 1 ` lists the supported VPC CIDR blocks. -+-------------------+-----------------------------+--------------------------------+ -| VPC CIDR Block | IP Address Range | Maximum Number of IP Addresses | -+===================+=============================+================================+ -| 10.0.0.0/8-24 | 10.0.0.0-10.255.255.255 | 2^24-2=16777214 | -+-------------------+-----------------------------+--------------------------------+ -| 172.16.0.0/12-24 | 172.16.0.0-172.31.255.255 | 2^20-2=1048574 | -+-------------------+-----------------------------+--------------------------------+ -| 192.168.0.0/16-24 | 192.168.0.0-192.168.255.255 | 2^16-2=65534 | -+-------------------+-----------------------------+--------------------------------+ +.. _vpc_faq_0004__table3240172772213: + +.. table:: **Table 1** VPC CIDR blocks + + +-------------------+-----------------------------+--------------------------------+ + | VPC CIDR Block | IP Address Range | Maximum Number of IP Addresses | + +===================+=============================+================================+ + | 10.0.0.0/8-24 | 10.0.0.0-10.255.255.255 | 2^24-2=16777214 | + +-------------------+-----------------------------+--------------------------------+ + | 172.16.0.0/12-24 | 172.16.0.0-172.31.255.255 | 2^20-2=1048574 | + +-------------------+-----------------------------+--------------------------------+ + | 192.168.0.0/16-24 | 192.168.0.0-192.168.255.255 | 2^16-2=65534 | + +-------------------+-----------------------------+--------------------------------+ diff --git a/umn/source/getting_started/configuring_a_vpc_for_ecss_that_access_the_internet_using_eips/step_4_create_a_security_group.rst b/umn/source/getting_started/configuring_a_vpc_for_ecss_that_access_the_internet_using_eips/step_4_create_a_security_group.rst index d69e08c..f7cd93e 100644 --- a/umn/source/getting_started/configuring_a_vpc_for_ecss_that_access_the_internet_using_eips/step_4_create_a_security_group.rst +++ b/umn/source/getting_started/configuring_a_vpc_for_ecss_that_access_the_internet_using_eips/step_4_create_a_security_group.rst @@ -10,7 +10,9 @@ Scenarios A security group is a collection of access control rules to control the traffic that is allowed to reach and leave the cloud resources that it is associated with. The cloud resources can be cloud servers, containers, databases, and more. Cloud resources associated with the same security group have the same security requirements and are mutually trusted within a VPC. A security group consists of inbound and outbound rules. -When creating instances that require security groups, you are advised to allocate instances with different Internet access requirements to different security groups. +If your instances have different Internet access requirements, you can allocate them to different security groups when creating them. + +Each ECS must be associated with at least one security group. If you do not have a security group when creating an ECS, the system provides a default security group. Procedure --------- diff --git a/umn/source/getting_started/configuring_a_vpc_for_ecss_that_access_the_internet_using_eips/step_5_add_a_security_group_rule.rst b/umn/source/getting_started/configuring_a_vpc_for_ecss_that_access_the_internet_using_eips/step_5_add_a_security_group_rule.rst index 56e7a12..b984ecf 100644 --- a/umn/source/getting_started/configuring_a_vpc_for_ecss_that_access_the_internet_using_eips/step_5_add_a_security_group_rule.rst +++ b/umn/source/getting_started/configuring_a_vpc_for_ecss_that_access_the_internet_using_eips/step_5_add_a_security_group_rule.rst @@ -10,13 +10,19 @@ Scenarios A security group is a collection of access control rules to control the traffic that is allowed to reach and leave the cloud resources that it is associated with. The cloud resources can be cloud servers, containers, databases, and more. Cloud resources associated with the same security group have the same security requirements and are mutually trusted within a VPC. A security group consists of inbound and outbound rules. +Each ECS must be associated with at least one security group. If you do not have a security group when creating an ECS, the system provides a default security group. + Like whitelists, security group rules work as follows: -- Inbound rules control incoming traffic to instances in the security group. If an inbound request matches the source in an inbound security group rule with **Action** set to **Allow**, the request is allowed. +- Inbound rules control incoming traffic to instances in the security group. + + If an inbound request matches the source in an inbound security group rule, the request is allowed and other requests are denied. By default, you do not need to configure deny rules in the inbound direction because requests that do not match allow rules will be denied. -- Outbound rules control outgoing traffic from instances in the security group. If the destination of an outbound security group rule with **Action** set to **Allow** is 0.0.0.0/0, all outbound requests are allowed. +- Outbound rules control outgoing traffic from instances in the security group. + + If the destination of an outbound security group rule is 0.0.0.0/0, all outbound requests are allowed. 0.0.0.0/0 represents all IPv4 addresses. @@ -62,15 +68,16 @@ Procedure +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ | Parameter | Description | Example Value | +=======================+==========================================================================================================================================================================+=======================+ - | Type | IPv4 | IPv4 | - +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ | Protocol & Port | The network protocol used to match traffic in a security group rule. | TCP | | | | | - | | Currently, the value can be **All**, **TCP**, **UDP**, or **ICMP**, or others. | | + | | Currently, the value can be **All**, **TCP**, **UDP**, **GRE**, **ICMP**, or more. | | +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | | Destination port used to match traffic in a security group rule. The value can be from 1 to 65535. | 22, or 22-30 | + | | **Port**: The port or port range over which traffic can reach your ECS. The value can be from 1 to 65535. | 22, or 22-30 | + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Type | Source IP address version. You can select: | IPv4 | | | | | - | | Inbound rules control incoming traffic over specific ports to instances in the security group. | | + | | - IPv4 | | + | | - IPv6 | | +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ | Source | Source of the security group rule. The value can be an IP address or a security group to allow access from IP addresses or instances in the security group. For example: | 0.0.0.0/0 | | | | | @@ -112,15 +119,16 @@ Procedure +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ | Parameter | Description | Example Value | +=======================+=============================================================================================================================================================================+=======================+ - | Type | IPv4 | IPv4 | - +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ | Protocol & Port | The network protocol used to match traffic in a security group rule. | TCP | | | | | - | | Currently, the value can be **All**, **TCP**, **UDP**, or **ICMP**, or others. | | + | | Currently, the value can be **All**, **TCP**, **UDP**, **GRE**, **ICMP**, or more. | | +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | | Destination port used to match traffic in a security group rule. The value can be from 1 to 65535. | 22, or 22-30 | + | | **Port**: The port or port range over which traffic can leave your ECS. The value can be from 1 to 65535. | 22, or 22-30 | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Type | Source IP address version. You can select: | IPv4 | | | | | - | | Outbound rules control outgoing traffic over specific ports from instances in the security group. | | + | | - IPv4 | | + | | - IPv6 | | +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ | Destination | Destination of the security group rule. The value can be an IP address or a security group to allow access to IP addresses or instances in the security group. For example: | 0.0.0.0/0 | | | | | diff --git a/umn/source/getting_started/configuring_a_vpc_for_ecss_that_do_not_require_internet_access/overview.rst b/umn/source/getting_started/configuring_a_vpc_for_ecss_that_do_not_require_internet_access/overview.rst index 1a336aa..8bd2e53 100644 --- a/umn/source/getting_started/configuring_a_vpc_for_ecss_that_do_not_require_internet_access/overview.rst +++ b/umn/source/getting_started/configuring_a_vpc_for_ecss_that_do_not_require_internet_access/overview.rst @@ -20,26 +20,26 @@ If your ECSs do not require Internet access or need to access the Internet using .. table:: **Table 1** Configuration process description - +------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Task | Description | - +====================================+=================================================================================================================================================================================+ - | Create a VPC. | This task is mandatory. | - | | | - | | After the VPC is created, you can create other required network resources in the VPC based on your service requirements. | - +------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Create another subnet for the VPC. | This task is optional. | - | | | - | | If the default subnet cannot meet your requirements, you can create one. | - | | | - | | The new subnet is used to assign IP addresses to NICs added to the ECS. | - +------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Create a security group. | This task is mandatory. | - | | | - | | You can create a security group and add ECSs in the VPC to the security group to improve ECS access security. | - | | | - | | After a security group is created, it has a default rule, which allows all outgoing data packets. ECSs in a security group can access each other without the need to add rules. | - +------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Add a security group rule. | This task is optional. | - | | | - | | If the default rule meets your service requirements, you do not need to add rules to the security group. | - +------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +------------------------------------+--------------------------------------------------------------------------------------------------------------------------+ + | Task | Description | + +====================================+==========================================================================================================================+ + | Create a VPC. | This task is mandatory. | + | | | + | | After the VPC is created, you can create other required network resources in the VPC based on your service requirements. | + +------------------------------------+--------------------------------------------------------------------------------------------------------------------------+ + | Create another subnet for the VPC. | This task is optional. | + | | | + | | If the default subnet cannot meet your requirements, you can create one. | + | | | + | | The new subnet is used to assign IP addresses to NICs added to the ECS. | + +------------------------------------+--------------------------------------------------------------------------------------------------------------------------+ + | Create a security group. | This task is mandatory. | + | | | + | | You can create a security group and add ECSs in the VPC to the security group to improve ECS access security. | + | | | + | | After a security group is created, it has default rules. | + +------------------------------------+--------------------------------------------------------------------------------------------------------------------------+ + | Add a security group rule. | This task is optional. | + | | | + | | If the default rule meets your service requirements, you do not need to add rules to the security group. | + +------------------------------------+--------------------------------------------------------------------------------------------------------------------------+ diff --git a/umn/source/getting_started/configuring_a_vpc_for_ecss_that_do_not_require_internet_access/step_3_create_a_security_group.rst b/umn/source/getting_started/configuring_a_vpc_for_ecss_that_do_not_require_internet_access/step_3_create_a_security_group.rst index 8f4b0f2..325e7c6 100644 --- a/umn/source/getting_started/configuring_a_vpc_for_ecss_that_do_not_require_internet_access/step_3_create_a_security_group.rst +++ b/umn/source/getting_started/configuring_a_vpc_for_ecss_that_do_not_require_internet_access/step_3_create_a_security_group.rst @@ -10,7 +10,9 @@ Scenarios A security group is a collection of access control rules to control the traffic that is allowed to reach and leave the cloud resources that it is associated with. The cloud resources can be cloud servers, containers, databases, and more. Cloud resources associated with the same security group have the same security requirements and are mutually trusted within a VPC. A security group consists of inbound and outbound rules. -When creating instances that require security groups, you are advised to allocate instances with different Internet access requirements to different security groups. +If your instances have different Internet access requirements, you can allocate them to different security groups when creating them. + +Each ECS must be associated with at least one security group. If you do not have a security group when creating an ECS, the system provides a default security group. Procedure --------- diff --git a/umn/source/getting_started/configuring_a_vpc_for_ecss_that_do_not_require_internet_access/step_4_add_a_security_group_rule.rst b/umn/source/getting_started/configuring_a_vpc_for_ecss_that_do_not_require_internet_access/step_4_add_a_security_group_rule.rst index b2951b9..2b023a7 100644 --- a/umn/source/getting_started/configuring_a_vpc_for_ecss_that_do_not_require_internet_access/step_4_add_a_security_group_rule.rst +++ b/umn/source/getting_started/configuring_a_vpc_for_ecss_that_do_not_require_internet_access/step_4_add_a_security_group_rule.rst @@ -10,13 +10,19 @@ Scenarios A security group is a collection of access control rules to control the traffic that is allowed to reach and leave the cloud resources that it is associated with. The cloud resources can be cloud servers, containers, databases, and more. Cloud resources associated with the same security group have the same security requirements and are mutually trusted within a VPC. A security group consists of inbound and outbound rules. +Each ECS must be associated with at least one security group. If you do not have a security group when creating an ECS, the system provides a default security group. + Like whitelists, security group rules work as follows: -- Inbound rules control incoming traffic to instances in the security group. If an inbound request matches the source in an inbound security group rule with **Action** set to **Allow**, the request is allowed. +- Inbound rules control incoming traffic to instances in the security group. + + If an inbound request matches the source in an inbound security group rule, the request is allowed and other requests are denied. By default, you do not need to configure deny rules in the inbound direction because requests that do not match allow rules will be denied. -- Outbound rules control outgoing traffic from instances in the security group. If the destination of an outbound security group rule with **Action** set to **Allow** is 0.0.0.0/0, all outbound requests are allowed. +- Outbound rules control outgoing traffic from instances in the security group. + + If the destination of an outbound security group rule is 0.0.0.0/0, all outbound requests are allowed. 0.0.0.0/0 represents all IPv4 addresses. @@ -62,15 +68,16 @@ Procedure +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ | Parameter | Description | Example Value | +=======================+==========================================================================================================================================================================+=======================+ - | Type | IPv4 | IPv4 | - +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ | Protocol & Port | The network protocol used to match traffic in a security group rule. | TCP | | | | | - | | Currently, the value can be **All**, **TCP**, **UDP**, or **ICMP**, or others. | | + | | Currently, the value can be **All**, **TCP**, **UDP**, **GRE**, **ICMP**, or more. | | +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | | Destination port used to match traffic in a security group rule. The value can be from 1 to 65535. | 22, or 22-30 | + | | **Port**: The port or port range over which traffic can reach your ECS. The value can be from 1 to 65535. | 22, or 22-30 | + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Type | Source IP address version. You can select: | IPv4 | | | | | - | | Inbound rules control incoming traffic over specific ports to instances in the security group. | | + | | - IPv4 | | + | | - IPv6 | | +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ | Source | Source of the security group rule. The value can be an IP address or a security group to allow access from IP addresses or instances in the security group. For example: | 0.0.0.0/0 | | | | | @@ -112,15 +119,16 @@ Procedure +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ | Parameter | Description | Example Value | +=======================+=============================================================================================================================================================================+=======================+ - | Type | IPv4 | IPv4 | - +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ | Protocol & Port | The network protocol used to match traffic in a security group rule. | TCP | | | | | - | | Currently, the value can be **All**, **TCP**, **UDP**, or **ICMP**, or others. | | + | | Currently, the value can be **All**, **TCP**, **UDP**, **GRE**, **ICMP**, or more. | | +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | | Destination port used to match traffic in a security group rule. The value can be from 1 to 65535. | 22, or 22-30 | + | | **Port**: The port or port range over which traffic can leave your ECS. The value can be from 1 to 65535. | 22, or 22-30 | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Type | Source IP address version. You can select: | IPv4 | | | | | - | | Outbound rules control outgoing traffic over specific ports from instances in the security group. | | + | | - IPv4 | | + | | - IPv6 | | +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ | Destination | Destination of the security group rule. The value can be an IP address or a security group to allow access to IP addresses or instances in the security group. For example: | 0.0.0.0/0 | | | | | diff --git a/umn/source/getting_started/typical_application_scenarios.rst b/umn/source/getting_started/typical_application_scenarios.rst index c56e2e0..ffa4f8a 100644 --- a/umn/source/getting_started/typical_application_scenarios.rst +++ b/umn/source/getting_started/typical_application_scenarios.rst @@ -9,5 +9,4 @@ A VPC provides an isolated virtual network for ECSs. You can configure and manag - If any of your ECSs, for example, ECSs that function as the database of server nodes for website deployment, do not need to access the Internet or need to access the Internet specific IP addresses on the default network with limited bandwidth, you can configure a VPC for the ECSs by following the instructions described in :ref:`Configuring a VPC for ECSs That Do Not Require Internet Access `. - If your ECSs need to access the Internet, you can configure EIPs for them. For example, the ECSs functioning as the service nodes for deploying a website need to be accessed by users over the Internet. Then, you can configure a VPC for these ECSs by following the instructions provided in :ref:`Configuring a VPC for ECSs That Access the Internet Using EIPs `. -- If your ECSs need to access the Internet, you can configure EIPs for them. For example, the ECSs functioning as the service nodes for deploying a website need to be accessed by users over the Internet. For details, see :ref:`Configuring a VPC for ECSs That Access the Internet Using EIPs `. - When you need to access the IPv6 services on the Internet or provide services accessible from users using an IPv6 client, you need to enable the IPv6 function. After the IPv6 function is enabled, you can provide services for users using an IPv4 or IPv6 client. diff --git a/umn/source/permissions_management/creating_a_user_and_granting_vpc_permissions.rst b/umn/source/permissions_management/creating_a_user_and_granting_vpc_permissions.rst index 1c79c8c..25e9972 100644 --- a/umn/source/permissions_management/creating_a_user_and_granting_vpc_permissions.rst +++ b/umn/source/permissions_management/creating_a_user_and_granting_vpc_permissions.rst @@ -41,3 +41,4 @@ Process Flow In the authorized region, perform the following operations: - Choose **Service List** > **Virtual Private Cloud**. Then click **Create VPC** on the VPC console. If a message appears indicating that you have insufficient permissions to perform the operation, the **VPCReadOnlyAccess** policy is in effect. + - Choose another service from **Service List**. If a message appears indicating that you have insufficient permissions to access the service, the **VPCReadOnlyAccess** policy is in effect. diff --git a/umn/source/route_tables/adding_a_custom_route.rst b/umn/source/route_tables/adding_a_custom_route.rst index 138681d..394b31a 100644 --- a/umn/source/route_tables/adding_a_custom_route.rst +++ b/umn/source/route_tables/adding_a_custom_route.rst @@ -10,6 +10,11 @@ Scenarios Each route table contains a default system route, which indicates that ECSs in a VPC can communicate with each other. You can also add custom routes as required to forward the traffic destined for the destination to the specified next hop. +Notes and Constraints +--------------------- + +A maximum of 200 routes can be added to each route table. + Procedure --------- @@ -48,7 +53,7 @@ Procedure +-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+ | Next Hop Type | Mandatory | VPC peering connection | | | | | - | | Set the type of the next hop. For details about the supported resource types, see :ref:`Table 1 `. | | + | | Set the type of the next hop. | | | | | | | | .. note:: | | | | | | diff --git a/umn/source/route_tables/configuring_an_snat_server.rst b/umn/source/route_tables/configuring_an_snat_server.rst index 0426160..2b7c6f5 100644 --- a/umn/source/route_tables/configuring_an_snat_server.rst +++ b/umn/source/route_tables/configuring_an_snat_server.rst @@ -69,7 +69,7 @@ Procedure **cat /proc/sys/net/ipv4/ip_forward** - In the command output, **1** indicates it is enabled, and **0** indicates it is disabled. The default value is **0**. + In the command output, **1** indicates that IP forwarding is enabled, and **0** indicates that IP forwarding is disabled. The default value is **0**. - If IP forwarding in Linux is enabled, go to step :ref:`14 `. - If IP forwarding in Linux is disabled, go to :ref:`12 ` to enable IP forwarding in Linux. diff --git a/umn/source/route_tables/creating_a_custom_route_table.rst b/umn/source/route_tables/creating_a_custom_route_table.rst index bb19964..ff8a46f 100644 --- a/umn/source/route_tables/creating_a_custom_route_table.rst +++ b/umn/source/route_tables/creating_a_custom_route_table.rst @@ -10,6 +10,11 @@ Scenarios A VPC automatically comes with a default route table. If your default route table cannot meet your service requirements, you can create a custom route table. +Notes and Constraints +--------------------- + +By default, each VPC can have up to 10 route tables, including the default route table. + Procedure --------- diff --git a/umn/source/route_tables/deleting_a_route_table.rst b/umn/source/route_tables/deleting_a_route_table.rst index b3ad566..fde7885 100644 --- a/umn/source/route_tables/deleting_a_route_table.rst +++ b/umn/source/route_tables/deleting_a_route_table.rst @@ -26,9 +26,7 @@ Procedure 2. Click |image1| in the upper left corner and select the desired region and project. -3. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. - - The **Virtual Private Cloud** page is displayed. +3. Click |image2| in the upper left corner and choose **Network** > **Virtual Private Cloud**. The **Virtual Private Cloud** page is displayed. 4. In the navigation pane on the left, choose **Virtual Private Cloud** > **Route Tables**. diff --git a/umn/source/route_tables/index.rst b/umn/source/route_tables/index.rst index 9fdae4f..68c4a94 100644 --- a/umn/source/route_tables/index.rst +++ b/umn/source/route_tables/index.rst @@ -5,7 +5,7 @@ Route Tables ============ -- :ref:`Route Table Overview ` +- :ref:`Route Tables and Routes ` - :ref:`Creating a Custom Route Table ` - :ref:`Associating a Route Table with a Subnet ` - :ref:`Changing the Route Table Associated with a Subnet ` @@ -23,7 +23,7 @@ Route Tables :maxdepth: 1 :hidden: - route_table_overview + route_tables_and_routes creating_a_custom_route_table associating_a_route_table_with_a_subnet changing_the_route_table_associated_with_a_subnet diff --git a/umn/source/route_tables/modifying_a_route.rst b/umn/source/route_tables/modifying_a_route.rst index d4b26d1..6d3aa4a 100644 --- a/umn/source/route_tables/modifying_a_route.rst +++ b/umn/source/route_tables/modifying_a_route.rst @@ -48,7 +48,7 @@ Procedure +-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+ | Next Hop Type | Mandatory | VPC peering connection | | | | | - | | Set the type of the next hop. For details about the supported resource types, see :ref:`Table 1 `. | | + | | Set the type of the next hop. | | | | | | | | .. note:: | | | | | | diff --git a/umn/source/route_tables/route_table_overview.rst b/umn/source/route_tables/route_tables_and_routes.rst similarity index 78% rename from umn/source/route_tables/route_table_overview.rst rename to umn/source/route_tables/route_tables_and_routes.rst index 59b5bbb..66519e9 100644 --- a/umn/source/route_tables/route_table_overview.rst +++ b/umn/source/route_tables/route_tables_and_routes.rst @@ -2,48 +2,52 @@ .. _vpc_route01_0001: -Route Table Overview -==================== +Route Tables and Routes +======================= -Route Table ------------ +Route Tables +------------ A route table contains a set of routes that are used to determine where network traffic from your subnets in a VPC is directed. Each subnet must be associated with a route table. A subnet can only be associated with one route table, but you can associate multiple subnets with the same route table. -Default Route Table and Custom Route Table ------------------------------------------- -When you create a VPC, the system automatically generates a default route table for the VPC. If you create a subnet in the VPC, the subnet automatically associates with the default route table. +.. figure:: /_static/images/en-us_image_0000001650535960.png + :alt: **Figure 1** Route tables -- You can add routes to, delete routes from, and modify routes in the default route table, but cannot delete the table. -- When you create a VPC endpoint, VPN or Direct Connect connection, the default route table automatically delivers a route that cannot be deleted or modified. + **Figure 1** Route tables -If you do not want to use the default route table, you can now create a custom route table and associate it with the subnet. You can delete the custom route table if it is no longer required. +- Default route table: When you create a VPC, the system automatically generates a default route table for the VPC. If you create a subnet in the VPC, the subnet automatically associates with the default route table. The default route table ensures that subnets in a VPC can communicate with each other. -.. note:: + - You can add routes to, delete routes from, and modify routes in the default route table, but cannot delete the table. + - When you create a VPC endpoint, VPN or Direct Connect connection, the default route table automatically delivers a route that cannot be deleted or modified. - The custom route table associated with a subnet affects only the outbound traffic. The default route table determines the inbound traffic. +- Custom route table: If you do not want to use the default route table, you can create a custom route table and associate it with the subnet. Custom route tables can be deleted if they are no longer required. + + The custom route table associated with a subnet affects only the outbound traffic. The default route table controls the inbound traffic. Route ----- -A route is configured with the destination, next hop type, and next hop to determine where network traffic is directed. Routes are classified into system routes and custom routes. +You can add routes to default and custom route tables and configure the destination, next hop type, and next hop in the routes to determine where network traffic is directed. Routes are classified into system routes and custom routes. - System routes: These routes are automatically added by the system and cannot be modified or deleted. After a route table is created, the system automatically adds the following system routes to the route table, so that instances in a VPC can communicate with each other. - - The route destination of 100.64.0.0/10 or 198.19.128.0/20 is used by network services, such as DNS and VPCEP on the cloud. - - The route destination of 127.0.0.0/8 is the local loopback address. - - The route with destination of a subnet CIDR block is used for communication between subnets in a VPC. + - Routes whose destination is 100.64.0.0/10 or 198.19.128.0/20. + - Routes whose destination is a subnet CIDR block. + + .. note:: + + In addition to the preceding system routes, the system automatically adds a route whose destination is 127.0.0.0/8. This is the local loopback address. - Custom routes: These are routes that you can add, modify, and delete. The destination of a custom route cannot overlap with that of a system route. - You can add a custom route and configure the destination, next hop type, and next hop in the route to determine where network traffic is directed. :ref:`Table 1 ` lists the supported types of next hops. + You can add a custom route and configure the destination, next hop type, and next hop in the route to determine where network traffic is directed. :ref:`Table 1 ` lists the supported types of next hops. - You cannot add two routes with the same destination to a VPC route table even if their next hop types are different, because the destination determines the route priority. According to the longest match routing rule, the destination with a higher matching degree is preferentially selected for packet forwarding. + You cannot add two routes with the same destination to a VPC route table even if their next hop types are different. The route priority depends on the destination. According to the longest match routing rule, the destination with a higher matching degree is preferentially selected for packet forwarding. - .. _vpc_route01_0001__table1727714140542: + .. _vpc_route01_0001__en-us_topic_0038263963_route_0001_table1727714140542: .. table:: **Table 1** Next hop type @@ -82,14 +86,14 @@ A route is configured with the destination, next hop type, and next hop to deter Custom Route Table Configuration Process ---------------------------------------- -:ref:`Figure 1 ` shows the process of creating and configuring a custom route table. +:ref:`Figure 2 ` shows the process of creating and configuring a custom route table. .. _vpc_route01_0001__en-us_topic_0212076956_fig16862186152219: .. figure:: /_static/images/en-us_image_0214585341.png - :alt: **Figure 1** Route table configuration process + :alt: **Figure 2** Route table configuration process - **Figure 1** Route table configuration process + **Figure 2** Route table configuration process #. For details about how to create a custom route table, see :ref:`Creating a Custom Route Table `. #. For details about how to add a custom route, see :ref:`Adding a Custom Route `. diff --git a/umn/source/service_overview/basic_concepts/route_table.rst b/umn/source/service_overview/basic_concepts/route_table.rst index a2d3459..02588c9 100644 --- a/umn/source/service_overview/basic_concepts/route_table.rst +++ b/umn/source/service_overview/basic_concepts/route_table.rst @@ -5,19 +5,25 @@ Route Table =========== -Default Route Table and Custom Route Table ------------------------------------------- +Route Tables +------------ -When you create a VPC, the system automatically generates a default route table for the VPC. If you create a subnet in the VPC, the subnet automatically associates with the default route table. +A route table contains a set of routes that are used to determine where network traffic from your subnets in a VPC is directed. Each subnet must be associated with a route table. A subnet can only be associated with one route table, but you can associate multiple subnets with the same route table. -- You can add routes to, delete routes from, and modify routes in the default route table, but cannot delete the table. -- When you create a VPC endpoint, VPN or Direct Connect connection, the default route table automatically delivers a route that cannot be deleted or modified. -If you do not want to use the default route table, you can now create a custom route table and associate it with the subnet. You can delete the custom route table if it is no longer required. +.. figure:: /_static/images/en-us_image_0000001650535960.png + :alt: **Figure 1** Route tables -.. note:: + **Figure 1** Route tables - The custom route table associated with a subnet affects only the outbound traffic. The default route table determines the inbound traffic. +- Default route table: When you create a VPC, the system automatically generates a default route table for the VPC. If you create a subnet in the VPC, the subnet automatically associates with the default route table. The default route table ensures that subnets in a VPC can communicate with each other. + + - You can add routes to, delete routes from, and modify routes in the default route table, but cannot delete the table. + - When you create a VPC endpoint, VPN or Direct Connect connection, the default route table automatically delivers a route that cannot be deleted or modified. + +- Custom route table: If you do not want to use the default route table, you can create a custom route table and associate it with the subnet. Custom route tables can be deleted if they are no longer required. + + The custom route table associated with a subnet affects only the outbound traffic. The default route table controls the inbound traffic. Route ----- diff --git a/umn/source/service_overview/basic_concepts/security_group.rst b/umn/source/service_overview/basic_concepts/security_group.rst index 7923e13..aa59a7c 100644 --- a/umn/source/service_overview/basic_concepts/security_group.rst +++ b/umn/source/service_overview/basic_concepts/security_group.rst @@ -9,32 +9,38 @@ A security group is a collection of access control rules for cloud resources, su Like whitelists, security group rules work as follows: -- Inbound rules control incoming traffic to instances in the security group. If an inbound request matches the source in an inbound security group rule with **Action** set to **Allow**, the request is allowed. +- Inbound rules control incoming traffic to instances in the security group. + + If an inbound request matches the source in an inbound security group rule, the request is allowed and other requests are denied. By default, you do not need to configure deny rules in the inbound direction because requests that do not match allow rules will be denied. -- Outbound rules control outgoing traffic from instances in the security group. If the destination of an outbound security group rule with **Action** set to **Allow** is 0.0.0.0/0, all outbound requests are allowed. +- Outbound rules control outgoing traffic from instances in the security group. + + If the destination of an outbound security group rule is 0.0.0.0/0, all outbound requests are allowed. 0.0.0.0/0 represents all IPv4 addresses. ::/0 represents all IPv6 addresses. -:ref:`Table 1 ` shows the inbound and outbound rules in security group sg-AB. +:ref:`Table 1 ` uses custom security group sg-AB as an example to describe its inbound and outbound rules in detail. .. _vpc_concepts_0005__en-us_topic_0073379079_table102261597217: .. table:: **Table 1** Rules in security group sg-AB - +-----------+------+-----------------+------------------------+--------------------------------------------------------------------------------------------------------------------------------------+ - | Direction | Type | Protocol & Port | Source/Destination | Description | - +===========+======+=================+========================+======================================================================================================================================+ - | Inbound | IPv4 | All | Source: sg-AB | This rule allows ECSs in the security group to communicate with each other. | - +-----------+------+-----------------+------------------------+--------------------------------------------------------------------------------------------------------------------------------------+ - | Inbound | IPv4 | TCP: 22 | Source: 0.0.0.0/0 | This rule allows all IPv4 addresses to access ECSs in the security group over SSH port 22 for remotely logging in to Linux ECSs. | - +-----------+------+-----------------+------------------------+--------------------------------------------------------------------------------------------------------------------------------------+ - | Inbound | IPv4 | TCP: 3389 | Source: 0.0.0.0/0 | This rule allows all IPv4 addresses to access ECSs in the security group over RDP port 3389 for remotely logging in to Windows ECSs. | - +-----------+------+-----------------+------------------------+--------------------------------------------------------------------------------------------------------------------------------------+ - | Inbound | IPv4 | TCP: 80 | Source: 10.5.6.30/32 | This rule allows IP address 10.5.6.30 to access ECSs in the security group over port 80. | - +-----------+------+-----------------+------------------------+--------------------------------------------------------------------------------------------------------------------------------------+ - | Outbound | IPv4 | All | Destination: 0.0.0.0/0 | This rule allows access from ECSs in the security group to any IPv4 address over any port. | - +-----------+------+-----------------+------------------------+--------------------------------------------------------------------------------------------------------------------------------------+ + +-----------+------+-----------------+------------------------+------------------------------------------------------------------------------------------------------------------------------+ + | Direction | Type | Protocol & Port | Source/Destination | Description | + +===========+======+=================+========================+==============================================================================================================================+ + | Inbound | IPv4 | All | Source: sg-AB | Allows ECSs in the security group to communicate with each other. | + +-----------+------+-----------------+------------------------+------------------------------------------------------------------------------------------------------------------------------+ + | Inbound | IPv4 | TCP: 22 | Source: 0.0.0.0/0 | Allows all IPv4 addresses to access ECSs in the security group over port 22 (SSH) for remotely logging in to Linux ECSs. | + +-----------+------+-----------------+------------------------+------------------------------------------------------------------------------------------------------------------------------+ + | Inbound | IPv4 | TCP: 3389 | Source: 0.0.0.0/0 | Allows all IPv4 addresses to access ECSs in the security group over port 3389 (RDP) for remotely logging in to Windows ECSs. | + +-----------+------+-----------------+------------------------+------------------------------------------------------------------------------------------------------------------------------+ + | Inbound | IPv4 | TCP: 80 | Source: 10.5.6.30/32 | Allows IP address 10.5.6.30 to access ECSs in the security group over port 80. | + +-----------+------+-----------------+------------------------+------------------------------------------------------------------------------------------------------------------------------+ + | Outbound | IPv4 | All | Destination: 0.0.0.0/0 | Allows access from ECSs in the security group to any IPv4 address over any port. | + +-----------+------+-----------------+------------------------+------------------------------------------------------------------------------------------------------------------------------+ + | Outbound | IPv6 | All | Destination: ::/0 | Allows access from ECSs in the security group to any IPv6 address over any port. | + +-----------+------+-----------------+------------------------+------------------------------------------------------------------------------------------------------------------------------+ diff --git a/umn/source/service_overview/basic_concepts/subnet.rst b/umn/source/service_overview/basic_concepts/subnet.rst index 60cb03f..d34d26a 100644 --- a/umn/source/service_overview/basic_concepts/subnet.rst +++ b/umn/source/service_overview/basic_concepts/subnet.rst @@ -7,14 +7,14 @@ Subnet A subnet is a unique CIDR block with a range of IP addresses in a VPC. All resources in a VPC must be deployed on subnets. -- By default, ECSs in all subnets of the same VPC can communicate with one another, but ECSs in different VPCs cannot. +- By default, all instances in different subnets of the same VPC can communicate with each other and the subnets can be located in different AZs. For example, VPC-A has subnet A01 in AZ A and subnet A02 in AZ B. Subnet A01 and subnet B01 can communicate with each other by default. - You can create VPC peering connections to enable ECSs in different VPCs but in the same region to communicate with one another. For details, see :ref:`VPC Peering Connection Overview `. +- After a subnet is created, its CIDR block cannot be modified. Subnets in the same VPC cannot overlap. -- After a subnet is created, its CIDR block cannot be modified. + A subnet mask can be between the netmask of its VPC CIDR block and /29 netmask. If a VPC CIDR block is 10.0.0.0/16, its subnet mask can between 16 to 29. - The subnets used to deploy your resources must reside within your VPC, and the subnet masks used to define them can be between the netmask of its VPC CIDR block and /29 netmask. + For example, if the CIDR block of VPC-A is 10.0.0.0/16, you can specify 10.0.0.0/24 for subnet A01, 10.0.1.0/24 for subnet A02, and 10.0.3.0/24 for subnet A03. - - 10.0.0.0 - 10.255.255.255 - - 172.16.0.0 - 172.31.255.255 - - 192.168.0.0 - 192.168.255.255 + .. note:: + + By default, you can create a maximum of 100 subnets in each region. If this cannot meet your service requirements, request a quota increase by referring to :ref:`What Is a Quota? ` diff --git a/umn/source/shared_bandwidth/deleting_a_shared_bandwidth.rst b/umn/source/shared_bandwidth/deleting_a_shared_bandwidth.rst index 7093b52..0ddff4a 100644 --- a/umn/source/shared_bandwidth/deleting_a_shared_bandwidth.rst +++ b/umn/source/shared_bandwidth/deleting_a_shared_bandwidth.rst @@ -26,7 +26,7 @@ Procedure 4. In the navigation pane on the left, choose **Elastic IP and Bandwidth** > **Shared Bandwidths**. 5. In the shared bandwidth list, locate the row that contains the shared bandwidth you want to delete, click **More** in the **Operation** column, and then click **Delete**. -6. In the displayed dialog box, click **Yes**. +6. In the displayed dialog box, click **OK**. .. |image1| image:: /_static/images/en-us_image_0141273034.png .. |image2| image:: /_static/images/en-us_image_0000001454059512.png diff --git a/umn/source/virtual_ip_address/binding_a_virtual_ip_address_to_an_eip_or_ecs.rst b/umn/source/virtual_ip_address/binding_a_virtual_ip_address_to_an_eip_or_ecs.rst index 7d14be5..e67f597 100644 --- a/umn/source/virtual_ip_address/binding_a_virtual_ip_address_to_an_eip_or_ecs.rst +++ b/umn/source/virtual_ip_address/binding_a_virtual_ip_address_to_an_eip_or_ecs.rst @@ -35,7 +35,7 @@ Procedure - To bind a virtual IP address to an EIP, locate the row that contains the virtual IP address and click **Bind to EIP** in the **Operation** column. - To bind a virtual IP address to an ECS, locate the row that contains the virtual IP address and click **Bind to Server** in the **Operation** column. -#. Select the desired EIP, or ECS and its NIC. +#. Select the EIP or ECS to be bound. .. note:: diff --git a/umn/source/virtual_ip_address/disabling_ip_forwarding_on_the_standby_ecs.rst b/umn/source/virtual_ip_address/disabling_ip_forwarding_on_the_standby_ecs.rst index bbe194d..02c7785 100644 --- a/umn/source/virtual_ip_address/disabling_ip_forwarding_on_the_standby_ecs.rst +++ b/umn/source/virtual_ip_address/disabling_ip_forwarding_on_the_standby_ecs.rst @@ -15,13 +15,17 @@ Linux #. Log in to the ECS. +#. Run the following command to switch to user **root**: + + **su root** + #. Check whether IP forwarding is enabled: **cat /proc/sys/net/ipv4/ip_forward** In the command output, **1** indicates it is enabled, and **0** indicates it is disabled. The default value is **0**. - - If **1** is displayed, go to :ref:`3 `. + - If **1** is displayed, go to :ref:`4 `. - If **0** is displayed, no further action is required. #. .. _vpc_vip_0007__en-us_topic_0206027322_li97125518364: diff --git a/umn/source/virtual_ip_address/disabling_source_destination_check_for_an_ecs_nic.rst b/umn/source/virtual_ip_address/disabling_source_and_destination_check_ha_load_balancing_cluster_scenario.rst similarity index 84% rename from umn/source/virtual_ip_address/disabling_source_destination_check_for_an_ecs_nic.rst rename to umn/source/virtual_ip_address/disabling_source_and_destination_check_ha_load_balancing_cluster_scenario.rst index c910801..6b1756c 100644 --- a/umn/source/virtual_ip_address/disabling_source_destination_check_for_an_ecs_nic.rst +++ b/umn/source/virtual_ip_address/disabling_source_and_destination_check_ha_load_balancing_cluster_scenario.rst @@ -2,8 +2,8 @@ .. _vpc_vip_0008: -Disabling Source/Destination Check for an ECS NIC -================================================= +Disabling Source and Destination Check (HA Load Balancing Cluster Scenario) +=========================================================================== Scenarios --------- diff --git a/umn/source/virtual_ip_address/index.rst b/umn/source/virtual_ip_address/index.rst index 3622855..92b626f 100644 --- a/umn/source/virtual_ip_address/index.rst +++ b/umn/source/virtual_ip_address/index.rst @@ -13,7 +13,7 @@ Virtual IP Address - :ref:`Using a Direct Connect Connection to Access the Virtual IP Address ` - :ref:`Using a VPC Peering Connection to Access the Virtual IP Address ` - :ref:`Disabling IP Forwarding on the Standby ECS ` -- :ref:`Disabling Source/Destination Check for an ECS NIC ` +- :ref:`Disabling Source and Destination Check (HA Load Balancing Cluster Scenario) ` - :ref:`Unbinding a Virtual IP Address from an Instance ` - :ref:`Unbinding a Virtual IP Address from an EIP ` - :ref:`Releasing a Virtual IP Address ` @@ -30,7 +30,7 @@ Virtual IP Address using_a_direct_connect_connection_to_access_the_virtual_ip_address using_a_vpc_peering_connection_to_access_the_virtual_ip_address disabling_ip_forwarding_on_the_standby_ecs - disabling_source_destination_check_for_an_ecs_nic + disabling_source_and_destination_check_ha_load_balancing_cluster_scenario unbinding_a_virtual_ip_address_from_an_instance unbinding_a_virtual_ip_address_from_an_eip releasing_a_virtual_ip_address diff --git a/umn/source/vpc_and_subnet/subnet/deleting_a_subnet.rst b/umn/source/vpc_and_subnet/subnet/deleting_a_subnet.rst index 8144d2a..56af1cd 100644 --- a/umn/source/vpc_and_subnet/subnet/deleting_a_subnet.rst +++ b/umn/source/vpc_and_subnet/subnet/deleting_a_subnet.rst @@ -8,7 +8,7 @@ Deleting a Subnet Scenarios --------- -If your subnet is no longer required, you can delete it: +This section describes how to delete a subnet. Notes and Constraints --------------------- diff --git a/umn/source/vpc_and_subnet/subnet/managing_subnet_tags.rst b/umn/source/vpc_and_subnet/subnet/managing_subnet_tags.rst index 499790b..81a6a3e 100644 --- a/umn/source/vpc_and_subnet/subnet/managing_subnet_tags.rst +++ b/umn/source/vpc_and_subnet/subnet/managing_subnet_tags.rst @@ -63,11 +63,7 @@ Procedure #. In the search box above the subnet list, click the search box. - a. Click **Tag**. - - b. Select the target tags and click **OK**. - - The system filters resources based on the tags you select. + Click the tag key and then the value as required. The system filters resources based on the tag you select. **Add, delete, edit, and view tags on the Tags tab of a subnet.** diff --git a/umn/source/vpc_and_subnet/subnet/viewing_and_deleting_resources_in_a_subnet.rst b/umn/source/vpc_and_subnet/subnet/viewing_and_deleting_resources_in_a_subnet.rst index d9ba90d..059ca5a 100644 --- a/umn/source/vpc_and_subnet/subnet/viewing_and_deleting_resources_in_a_subnet.rst +++ b/umn/source/vpc_and_subnet/subnet/viewing_and_deleting_resources_in_a_subnet.rst @@ -37,8 +37,14 @@ Procedure #. On the **Summary** page, view the resources in the subnet. - a. In the **VPC Resources** area, view the ECSs, BMSs, network interfaces, and load balancers in the subnet. - b. In the **Networking Components** area, view the NAT gateways in the subnet. + a. In the **VPC Resources** area, view the quantities of resources, such as ECSs, BMSs, network interfaces, and load balancers, in the subnet. Click the resource quantity with a hyperlink to view the resources in the subnet. + b. In the **Networking Components** area on the right of the page, view the NAT gateway, route table, and subnet. + + + .. figure:: /_static/images/en-us_image_0000001678437642.png + :alt: **Figure 1** Viewing resources in a subnet + + **Figure 1** Viewing resources in a subnet #. Delete resources from the subnet. @@ -65,7 +71,7 @@ Procedure +-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------+ | Load balancer | You can directly switch to load balancers from the subnet details page. | | | | - | | a. Click the load balancer quantity in the **VPC Resources** area. | + | | a. Click the load balancer quantity. | | | | | | The load balancer list is displayed. | | | | diff --git a/umn/source/vpc_and_subnet/subnet/viewing_ip_addresses_in_a_subnet.rst b/umn/source/vpc_and_subnet/subnet/viewing_ip_addresses_in_a_subnet.rst index a11a1a0..2707ded 100644 --- a/umn/source/vpc_and_subnet/subnet/viewing_ip_addresses_in_a_subnet.rst +++ b/umn/source/vpc_and_subnet/subnet/viewing_ip_addresses_in_a_subnet.rst @@ -44,7 +44,7 @@ Procedure #. Click the **IP Addresses** tab to view the IP addresses in the subnet. a. In the virtual IP address list, you can view the virtual IP addresses assigned from the subnet. - b. In the private IP address list in the lower part of the page, you can view the private IP addresses and the resources that use the IP addresses of the subnet. + b. In the private IP address list in the lower part of the page, you can view the private IP addresses used by the subnet (gateway, system interface, and DHCP). Follow-up Operations -------------------- diff --git a/umn/source/vpc_and_subnet/vpc/exporting_vpc_list.rst b/umn/source/vpc_and_subnet/vpc/exporting_vpc_list.rst index 1e8b543..5371b5a 100644 --- a/umn/source/vpc_and_subnet/vpc/exporting_vpc_list.rst +++ b/umn/source/vpc_and_subnet/vpc/exporting_vpc_list.rst @@ -10,7 +10,7 @@ Scenarios Information about all VPCs under your account can be exported as an Excel file to a local directory. -Such a file records the names, ID, status, CIDR blocks, and the number of subnets of your VPCs. +This file records the names, ID, status, CIDR blocks, and the number of subnets of your VPCs. Procedure --------- diff --git a/umn/source/vpc_and_subnet/vpc/managing_vpc_tags.rst b/umn/source/vpc_and_subnet/vpc/managing_vpc_tags.rst index 6b373c6..de98619 100644 --- a/umn/source/vpc_and_subnet/vpc/managing_vpc_tags.rst +++ b/umn/source/vpc_and_subnet/vpc/managing_vpc_tags.rst @@ -53,13 +53,13 @@ Procedure The **Virtual Private Cloud** page is displayed. -#. In the search box above the VPC list, click the search box. +#. In the search box above the subnet list, click the search box. - a. Click **Tag**. + Click the tag key and then the value as required. The system filters resources based on the tag you select. - b. Select the target tags and click **OK**. + Click anywhere in the search box to add the next tag key and value. - The system filters resources based on the tags you select. + You can add multiple tag keys and values to refine your search results. If you add more than one tag to search for VPCs, the VPCs containing all specified tags will be displayed. **Add, delete, edit, and view tags on the Tags tab of a VPC.** diff --git a/umn/source/vpc_and_subnet/vpc/obtaining_a_vpc_id.rst b/umn/source/vpc_and_subnet/vpc/obtaining_a_vpc_id.rst index 7ca5448..7e22276 100644 --- a/umn/source/vpc_and_subnet/vpc/obtaining_a_vpc_id.rst +++ b/umn/source/vpc_and_subnet/vpc/obtaining_a_vpc_id.rst @@ -10,7 +10,7 @@ Scenarios This section describes how to view and obtain a VPC ID. -If you want to obtain the ID of the peer VPC when you create a VPC peering connection between two VPCs from different accounts, you can refer to the following procedure. +If you create a VPC peering connection between two VPCs in different accounts, you need to obtain the project ID of the region that the peer VPC resides. You can recommend this section to the user of the peer VPC to obtain the project ID. Procedure --------- diff --git a/umn/source/vpc_flow_log/vpc_flow_log_overview.rst b/umn/source/vpc_flow_log/vpc_flow_log_overview.rst index edb51ce..2a58ce2 100644 --- a/umn/source/vpc_flow_log/vpc_flow_log_overview.rst +++ b/umn/source/vpc_flow_log/vpc_flow_log_overview.rst @@ -21,3 +21,4 @@ Notes and Constraints - Currently, C3, M3, and S2 ECSs support VPC flow logs. - Each account can have up to 10 VPC flow logs in a region. +- By default, a maximum of 400,000 flow log records are supported. diff --git a/umn/source/vpc_peering_connection/creating_a_vpc_peering_connection_with_a_vpc_in_another_account.rst b/umn/source/vpc_peering_connection/creating_a_vpc_peering_connection_with_a_vpc_in_another_account.rst index 852d867..4e3428b 100644 --- a/umn/source/vpc_peering_connection/creating_a_vpc_peering_connection_with_a_vpc_in_another_account.rst +++ b/umn/source/vpc_peering_connection/creating_a_vpc_peering_connection_with_a_vpc_in_another_account.rst @@ -78,34 +78,38 @@ Step 1: Create a VPC Peering Connection .. table:: **Table 1** Parameters for creating a VPC peering connection - +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+ - | Parameter | Description | Example Value | - +=======================+==================================================================================================================================================================================================+==================================+ - | Name | Mandatory | peering-AB | - | | | | - | | Enter a name for the VPC peering connection. | | - | | | | - | | The name can contain a maximum of 64 characters, including letters, digits, hyphens (-), and underscores (_). | | - +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+ - | Local VPC | Mandatory | VPC-A | - | | | | - | | VPC at one end of the VPC peering connection. You can select one from the drop-down list. | | - +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+ - | Local VPC CIDR Block | CIDR block of the selected local VPC | 172.16.0.0/16 | - +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+ - | Account | Mandatory | Another account | - | | | | - | | - Options: **My account** and **Another account** | | - | | - Select **Another account**. | | - +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+ - | Peer Project ID | This parameter is mandatory because **Account** is set to **Another account**. | Project ID of VPC-B in region A: | - | | | | - | | The project ID of the region that the peer VPC resides. For details about how to obtain the project ID, see :ref:`Obtaining the Peer Project ID of a VPC Peering Connection `. | 067cf8aecf3XXX08322f13b | - +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+ - | Peer VPC ID | This parameter is mandatory because **Account** is set to **Another account**. | VPC-B ID: | - | | | | - | | ID of the VPC at the other end of the VPC peering connection. For details about how to obtain the ID, see :ref:`Obtaining a VPC ID `. | 17cd7278-XXX-530c952dcf35 | - +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+ + +-----------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | Parameter | Description | Example Value | + +=============================+==================================================================================================================================================================================================+======================================+ + | VPC Peering Connection Name | Mandatory | peering-AB | + | | | | + | | Enter a name for the VPC peering connection. | | + | | | | + | | The name can contain a maximum of 64 characters, including letters, digits, hyphens (-), and underscores (_). | | + +-----------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | Local VPC | Mandatory | VPC-A | + | | | | + | | VPC at one end of the VPC peering connection. You can select one from the drop-down list. | | + +-----------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | Local VPC CIDR Block | CIDR block of the selected local VPC | 172.16.0.0/16 | + +-----------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | Account | Mandatory | Another account | + | | | | + | | - Options: **My account** and **Another account** | | + | | - Select **Another account**. | | + +-----------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | Peer Project ID | This parameter is mandatory because **Account** is set to **Another account**. | Project ID of VPC-B in region A: | + | | | | + | | The project ID of the region that the peer VPC resides. For details about how to obtain the project ID, see :ref:`Obtaining the Peer Project ID of a VPC Peering Connection `. | 067cf8aecf3XXX08322f13b | + +-----------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | Peer VPC ID | This parameter is mandatory because **Account** is set to **Another account**. | VPC-B ID: | + | | | | + | | ID of the VPC at the other end of the VPC peering connection. For details about how to obtain the ID, see :ref:`Obtaining a VPC ID `. | 17cd7278-XXX-530c952dcf35 | + +-----------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | Description | Optional | peering-AB connects VPC-A and VPC-B. | + | | | | + | | Enter the description of the VPC peering connection in the text box as required. The description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | + +-----------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ 7. Click **OK**. @@ -147,15 +151,13 @@ After you create a VPC peering connection with a VPC in another account, you nee #. Go to :ref:`Step 3: Add Routes for the VPC Peering Connection `. - .. important:: - - After a VPC peering connection is created, you must add routes to the route tables of the local and peer VPCs. Otherwise, the VPC peering connection does not take effect. - .. _en-us_topic_0046655038__section519111175712: Step 3: Add Routes for the VPC Peering Connection ------------------------------------------------- +To enable communications between VPCs connected by a VPC peering connection, you need to add forward and return routes to the route tables of the VPCs. For details, see :ref:`VPC Peering Connection Usage Examples `. + Both accounts need to add a route to the route table of their VPC. In this example, account A adds a route to the route table of VPC-A, and account B adds a route to the route table of VPC-B. #. Add routes to the route table of the local VPC: @@ -262,7 +264,7 @@ After you add routes for the VPC peering connection, verify the communication be .. important:: - - In this example, ECS-A01 and RDS-B01 are in the same security group. If the instances in different security groups, you need to add inbound rules to allow access from the peer security group. For details, see :ref:`Enabling ECSs in Different Security Groups to Communicate with Each Other Through an Internal Network `. + - In this example, ECS-A01 and RDS-B01 are in the same security group. If the instances in different security groups, you need to add inbound rules to allow access from the peer security group. For details, see :ref:`Enabling ECSs In Different Security Groups to Communicate Through an Internal Network `. - If VPCs connected by a VPC peering connection cannot communicate with each other, refer to :ref:`Why Did Communication Fail Between VPCs That Were Connected by a VPC Peering Connection? `. .. |image1| image:: /_static/images/en-us_image_0141273034.png diff --git a/umn/source/vpc_peering_connection/creating_a_vpc_peering_connection_with_another_vpc_in_your_account.rst b/umn/source/vpc_peering_connection/creating_a_vpc_peering_connection_with_another_vpc_in_your_account.rst index 9ae17a2..ce77edf 100644 --- a/umn/source/vpc_peering_connection/creating_a_vpc_peering_connection_with_another_vpc_in_your_account.rst +++ b/umn/source/vpc_peering_connection/creating_a_vpc_peering_connection_with_another_vpc_in_your_account.rst @@ -30,6 +30,7 @@ Notes and Constraints - Only one VPC peering connection can be created between two VPCs at the same time. - A VPC peering connection can only connect VPCs in the same region. - If the local and peer VPCs have overlapping CIDR blocks, the VPC peering connection may not take effect. +- After a VPC peering connection is created, you must add routes to the route tables of the local and peer VPCs. Otherwise, the VPC peering connection does not take effect. Prerequisites ------------- @@ -71,38 +72,42 @@ Step 1: Create a VPC Peering Connection .. table:: **Table 1** Parameters for creating a VPC peering connection - +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Parameter | Description | Example Value | - +=======================+==================================================================================================================================================================================================+=======================+ - | Name | Mandatory | peering-AB | - | | | | - | | Enter a name for the VPC peering connection. | | - | | | | - | | The name can contain a maximum of 64 characters, including letters, digits, hyphens (-), and underscores (_). | | - +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Local VPC | Mandatory | VPC-A | - | | | | - | | VPC at one end of the VPC peering connection. You can select one from the drop-down list. | | - +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Local VPC CIDR Block | CIDR block of the selected local VPC | 172.16.0.0/16 | - +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Account | Mandatory | My account | - | | | | - | | - Options: **My account** and **Another account** | | - | | - Select **My account**. | | - +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Peer Project | The system fills in the corresponding project by default because **My account** is set to **Account**. | ab-cdef-1 | - | | | | - | | For example, if VPC-A and VPC-B are in account A and region A, the system fills in the correspond project of account A in region A by default. | | - +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Peer VPC | This parameter is mandatory if **Account** is set to **My account**. | VPC-B | - | | | | - | | VPC at the other end of the VPC peering connection. You can select one from the drop-down list. | | - +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Peer VPC CIDR Block | CIDR block of the selected peer VPC | 172.17.0.0/16 | - | | | | - | | If the local and peer VPCs have overlapping CIDR blocks, the VPC peering connection may not take effect. For details, see :ref:`VPC Peering Connection Usage Examples `. | | - +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + +-----------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | Parameter | Description | Example Value | + +=============================+==================================================================================================================================================================================================+======================================+ + | VPC Peering Connection Name | Mandatory | peering-AB | + | | | | + | | Enter a name for the VPC peering connection. | | + | | | | + | | The name can contain a maximum of 64 characters, including letters, digits, hyphens (-), and underscores (_). | | + +-----------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | Local VPC | Mandatory | VPC-A | + | | | | + | | VPC at one end of the VPC peering connection. You can select one from the drop-down list. | | + +-----------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | Local VPC CIDR Block | CIDR block of the selected local VPC | 172.16.0.0/16 | + +-----------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | Account | Mandatory | My account | + | | | | + | | - Options: **My account** and **Another account** | | + | | - Select **My account**. | | + +-----------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | Peer Project | The system fills in the corresponding project by default because **My account** is set to **Account**. | ab-cdef-1 | + | | | | + | | For example, if VPC-A and VPC-B are in account A and region A, the system fills in the correspond project of account A in region A by default. | | + +-----------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | Peer VPC | This parameter is mandatory if **Account** is set to **My account**. | VPC-B | + | | | | + | | VPC at the other end of the VPC peering connection. You can select one from the drop-down list. | | + +-----------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | Peer VPC CIDR Block | CIDR block of the selected peer VPC | 172.17.0.0/16 | + | | | | + | | If the local and peer VPCs have overlapping CIDR blocks, the VPC peering connection may not take effect. For details, see :ref:`VPC Peering Connection Usage Examples `. | | + +-----------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ + | Description | Optional | peering-AB connects VPC-A and VPC-B. | + | | | | + | | Enter the description of the VPC peering connection in the text box as required. | | + +-----------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+ 7. Click **OK**. @@ -118,6 +123,8 @@ Step 1: Create a VPC Peering Connection Step 2: Add Routes for the VPC Peering Connection ------------------------------------------------- +To enable communications between VPCs connected by a VPC peering connection, you need to add forward and return routes to the route tables of the VPCs. For details, see :ref:`VPC Peering Connection Usage Examples `. + #. Add routes to the route table of the local VPC: a. On the **Local Routes** tab of the VPC peering connection, click the **Route Tables** hyperlink. @@ -214,7 +221,7 @@ After you add routes for the VPC peering connection, verify the communication be .. important:: - - In this example, ECS-A01 and RDS-B01 are in the same security group. If the instances in different security groups, you need to add inbound rules to allow access from the peer security group. For details, see :ref:`Enabling ECSs in Different Security Groups to Communicate with Each Other Through an Internal Network `. + - In this example, ECS-A01 and RDS-B01 are in the same security group. If the instances in different security groups, you need to add inbound rules to allow access from the peer security group. For details, see :ref:`Enabling ECSs In Different Security Groups to Communicate Through an Internal Network `. - If VPCs connected by a VPC peering connection cannot communicate with each other, refer to :ref:`Why Did Communication Fail Between VPCs That Were Connected by a VPC Peering Connection? `. .. |image1| image:: /_static/images/en-us_image_0141273034.png