diff --git a/umn/source/access_control/differences_between_security_groups_and_firewalls.rst b/umn/source/access_control/differences_between_security_groups_and_firewalls.rst index c4b42e5..c3b3790 100644 --- a/umn/source/access_control/differences_between_security_groups_and_firewalls.rst +++ b/umn/source/access_control/differences_between_security_groups_and_firewalls.rst @@ -5,9 +5,9 @@ Differences Between Security Groups and Firewalls ================================================= -You can configure security groups and firewalls to increase the security of ECSs in your VPC. +You can configure firewall and security group rules to protect the instances in your VPC, such as ECSs, databases, and CCI. -- Security groups operate at the ECS level. +- A security group protects the instances in it. - Firewalls protect associated subnets and all the resources in the subnets. For details, see :ref:`Figure 1 `. @@ -23,18 +23,22 @@ For details, see :ref:`Figure 1 `. .. _en-us_topic_0052003963__table53053071174845: -.. table:: **Table 1** Differences between security groups and firewalls +.. table:: **Table 1** Differences between security groups firewalls - +----------+------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Category | Security Group | Firewall | - +==========+================================================================================================================================================+=============================================================================================================================================================================================================================================================================================================================+ - | Scope | Operates at the ECS level. | Operates at the subnet level. | - +----------+------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Rules | Does not support **Allow** or **Deny** rules. | Supports both **Allow** and **Deny** rules. | - +----------+------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Priority | If there are conflicting rules, they are combined and applied together. | If rules conflict, the rule with the highest priority takes effect. | - +----------+------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Usage | Automatically applies to ECSs in the security group that is selected during ECS creation. You must select a security group when creating ECSs. | Applies to all ECSs in the subnets associated with the firewall. Selecting a firewall is not allowed during subnet creation. You must create a firewall, associate subnets with it, add inbound and outbound rules, and enable firewall. The firewall then takes effect for the associated subnets and ECSs in the subnets. | - +----------+------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Packets | Only packet filtering based on the 3-tuple (protocol, port, and peer IP address) is supported. | Only packet filtering based on the 5-tuple (protocol, source port, destination port, source IP address, and destination IP address) is supported. | - +----------+------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Category | Security Group | Firewall | + +=======================+=================================================================================================================================================================================+===========================================================================================================================================================================================================================================================+ + | Protection Scope | Protects instances in a security group, such as ECSs, databases, and CCI. | Protects subnets and all the instances in the subnets. | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Rules | Does not support **Allow** or **Deny** rules. | Supports both **Allow** and **Deny** rules. | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Priority | If there are conflicting rules, they are combined and applied together. | If rules conflict, the rule with the highest priority takes effect. | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Usage | - When creating an instance, such as an ECS, you must select a security group. If you do not have a security group, the system automatically creates a default security group. | Selecting a firewall is not allowed when you create a subnet. You must create a firewall, add inbound and outbound rules, associate subnets with it, and enable firewall. The firewall then protects the associated subnets and instances in the subnets. | + | | - After creating an instance, you can: | | + | | | | + | | - Add or remove instances on the security group console. | | + | | - Add or remove a security group for an instance on the instance console. | | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Packets | Only packet filtering based on the 3-tuple (protocol, port, and peer IP address) is supported. | Only packet filtering based on the 5-tuple (protocol, source port, destination port, source IP address, and destination IP address) is supported. | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ diff --git a/umn/source/access_control/firewall/adding_a_firewall_rule.rst b/umn/source/access_control/firewall/adding_a_firewall_rule.rst index 6510a64..a6f6e1a 100644 --- a/umn/source/access_control/firewall/adding_a_firewall_rule.rst +++ b/umn/source/access_control/firewall/adding_a_firewall_rule.rst @@ -43,49 +43,49 @@ Procedure .. table:: **Table 1** Parameter descriptions - +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Parameter | Description | Example Value | - +========================+=================================================================================================================================================================================================================================================================================================================================+=======================+ - | Type | The firewall type. This parameter is mandatory. You can select a value from the drop-down list. Currently, only **IPv4** and **IPv6** are supported. | IPv4 | - +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Action | The action in the firewall. This parameter is mandatory. You can select a value from the drop-down list. Currently, the value can be **Allow** or **Deny**. | Allow | - +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Protocol | The protocol supported by the firewall. This parameter is mandatory. You can select a protocol from the drop-down list. | TCP | - | | | | - | | You can select **TCP**, **UDP**, **ICMP**, or **All**. | | - +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Source | The source from which the traffic is allowed. The source can be an IP address or IP address range. | 0.0.0.0/0 | - | | | | - | | - IP address: | | - | | | | - | | - Single IP address: 192.168.10.10/32 | | - | | - All IP addresses: 0.0.0.0/0 | | - | | - IP address range: 192.168.1.0/24 | | - | | | | - | | - IP address group: The source is an IP address group. An IP address group is a collection of one or more IP addresses. You can select an available IP address group from the drop-down list. An IP address group can help you manage IP address ranges and IP addresses with same security requirements in a more simple way. | | - +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Source Port Range | The source port number or port number range. The value ranges from 1 to 65535. For a port number range, enter two port numbers connected by a hyphen (-). For example, **1-100**. | 22, or 22-30 | - | | | | - | | You must specify this parameter if **TCP** or **UDP** is selected for **Protocol**. | | - +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Destination | The destination to which the traffic is allowed. The destination can be an IP address or IP address range. | 0.0.0.0/0 | - | | | | - | | - IP address: | | - | | | | - | | - Single IP address: 192.168.10.10/32 | | - | | - All IP addresses: 0.0.0.0/0 | | - | | - IP address range: 192.168.1.0/24 | | - | | | | - | | - IP address group: The source is an IP address group. An IP address group is a collection of one or more IP addresses. You can select an available IP address group from the drop-down list. An IP address group can help you manage IP address ranges and IP addresses with same security requirements in a more simple way. | | - +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Destination Port Range | The destination port number or port number range. The value ranges from 1 to 65535. For a port number range, enter two port numbers connected by a hyphen (-). For example, **1-100**. | 22, or 22-30 | - | | | | - | | You must specify this parameter if **TCP** or **UDP** is selected for **Protocol**. | | - +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Description | Supplementary information about the firewall rule. This parameter is optional. | N/A | - | | | | - | | The description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | - +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + +------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Parameter | Description | Example Value | + +========================+=======================================================================================================================================================================================================================================================================+=======================+ + | Type | The firewall type. This parameter is mandatory. You can select a value from the drop-down list. Currently, only **IPv4** and **IPv6** are supported. | IPv4 | + +------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Action | The action in the firewall. This parameter is mandatory. You can select a value from the drop-down list. Currently, the value can be **Allow** or **Deny**. | Allow | + +------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Protocol | The protocol supported by the firewall. This parameter is mandatory. You can select a protocol from the drop-down list. | TCP | + | | | | + | | You can select **TCP**, **UDP**, **ICMP**, or **All**. | | + +------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Source | The source from which the traffic is allowed. The source can be an IP address or IP address range. | 0.0.0.0/0 | + | | | | + | | - IP address: | | + | | | | + | | - Single IP address: 192.168.10.10/32 | | + | | - All IP addresses: 0.0.0.0/0 | | + | | - IP address range: 192.168.1.0/24 | | + | | | | + | | - IP address group: A collection of one or more IP addresses. You can select an available IP address group from the drop-down list. An IP address group can help you manage IP address ranges and IP addresses with same security requirements in a more simple way. | | + +------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Source Port Range | The source port number or port number range. The value ranges from 1 to 65535. For a port number range, enter two port numbers connected by a hyphen (-). For example, **1-100**. | 22, or 22-30 | + | | | | + | | You must specify this parameter if **TCP** or **UDP** is selected for **Protocol**. | | + +------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Destination | The destination to which the traffic is allowed. The destination can be an IP address or IP address range. | 0.0.0.0/0 | + | | | | + | | - IP address: | | + | | | | + | | - Single IP address: 192.168.10.10/32 | | + | | - All IP addresses: 0.0.0.0/0 | | + | | - IP address range: 192.168.1.0/24 | | + | | | | + | | - IP address group: A collection of one or more IP addresses. You can select an available IP address group from the drop-down list. An IP address group can help you manage IP address ranges and IP addresses with same security requirements in a more simple way. | | + +------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Destination Port Range | The destination port number or port number range. The value ranges from 1 to 65535. For a port number range, enter two port numbers connected by a hyphen (-). For example, **1-100**. | 22, or 22-30 | + | | | | + | | You must specify this parameter if **TCP** or **UDP** is selected for **Protocol**. | | + +------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Description | Supplementary information about the firewall rule. This parameter is optional. | N/A | + | | | | + | | The description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | + +------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ 7. Click **OK**. diff --git a/umn/source/access_control/firewall/firewall_overview.rst b/umn/source/access_control/firewall/firewall_overview.rst index d585350..6bd67c6 100644 --- a/umn/source/access_control/firewall/firewall_overview.rst +++ b/umn/source/access_control/firewall/firewall_overview.rst @@ -24,9 +24,22 @@ Firewall Basics --------------- - Your VPC does not come with a firewall, but you can create a firewall and associate it with a VPC subnet if required. By default, each firewall denies all inbound traffic to and outbound traffic from the associated subnet until you add rules. + - You can associate a firewall with multiple subnets. However, a subnet can only be associated with one firewall at a time. + - Each newly created firewall is in the **Inactive** state until you associate subnets with it. +- Firewalls use connection tracking to track traffic to and from instances. Changes to inbound and outbound rules do not take effect immediately for the existing traffic. + + If you add, modify, or delete a firewall rule, or add or remove a subnet to or from a firewall, all the inbound and outbound persistent connections will not be disconnected New rules only apply to the new connections. + +.. important:: + + After a persistent connection is disconnected, new connection will not be established immediately until the timeout period of connection tracking expires. For example, after an ICMP persistent connection is disconnected, a new connection will be established and a new rule will apply when the timeout period expires(30s). + + - The timeout period of connection tracking varies by protocol. The timeout period of a TCP connection in the established state is 600s, and that of an ICMP connection is 30s. For other protocols, if packets are received in both inbound and outbound directions, the connection tracking timeout period is 180s. If packets are received only in one direction, the connection tracking timeout period is 30s. + - The timeout period of TCP connections varies by connection status. The timeout period of a TCP connection in the established state is 600s, and that of a TCP connection in the FIN-WAIT state is 30s. + .. _acl_0001__section99541345213: Default Firewall Rules @@ -58,8 +71,8 @@ By default, each firewall has preset rules that allow the following packets: | Outbound | \* | Deny | All | 0.0.0.0/0 | 0.0.0.0/0 | Denies all outbound traffic. | +-----------+----------+--------+----------+-----------+-------------+------------------------------+ -Rule Priorities ---------------- +How Traffic Matches Firewall Rules +---------------------------------- - Each firewall rule has a priority value where a smaller value corresponds to a higher priority. Any time two rules conflict, the rule with the higher priority is the one that gets applied. The rule whose priority value is an asterisk (*) has the lowest priority. - If multiple firewall rules conflict, only the rule with the highest priority takes effect. If you need a rule to take effect before or after a specific rule, you can insert that rule before or after the specific rule. diff --git a/umn/source/access_control/firewall/modifying_a_firewall_rule.rst b/umn/source/access_control/firewall/modifying_a_firewall_rule.rst index 6bfc3ea..4dbbbd7 100644 --- a/umn/source/access_control/firewall/modifying_a_firewall_rule.rst +++ b/umn/source/access_control/firewall/modifying_a_firewall_rule.rst @@ -37,49 +37,49 @@ Procedure .. table:: **Table 1** Parameter descriptions - +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Parameter | Description | Example Value | - +========================+=================================================================================================================================================================================================================================================================================================================================+=======================+ - | Type | The firewall type. This parameter is mandatory. You can select a value from the drop-down list. Currently, only **IPv4** and **IPv6** are supported. | IPv4 | - +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Action | The action in the firewall. This parameter is mandatory. You can select a value from the drop-down list. Currently, the value can be **Allow** or **Deny**. | Allow | - +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Protocol | The protocol supported by the firewall. This parameter is mandatory. You can select a protocol from the drop-down list. | TCP | - | | | | - | | You can select **TCP**, **UDP**, **ICMP**, or **All**. | | - +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Source | The source from which the traffic is allowed. The source can be an IP address or IP address range. | 0.0.0.0/0 | - | | | | - | | - IP address: | | - | | | | - | | - Single IP address: 192.168.10.10/32 | | - | | - All IP addresses: 0.0.0.0/0 | | - | | - IP address range: 192.168.1.0/24 | | - | | | | - | | - IP address group: The source is an IP address group. An IP address group is a collection of one or more IP addresses. You can select an available IP address group from the drop-down list. An IP address group can help you manage IP address ranges and IP addresses with same security requirements in a more simple way. | | - +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Source Port Range | The source port number or port number range. The value ranges from 1 to 65535. For a port number range, enter two port numbers connected by a hyphen (-). For example, **1-100**. | 22, or 22-30 | - | | | | - | | You must specify this parameter if **TCP** or **UDP** is selected for **Protocol**. | | - +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Destination | The destination to which the traffic is allowed. The destination can be an IP address or IP address range. | 0.0.0.0/0 | - | | | | - | | - IP address: | | - | | | | - | | - Single IP address: 192.168.10.10/32 | | - | | - All IP addresses: 0.0.0.0/0 | | - | | - IP address range: 192.168.1.0/24 | | - | | | | - | | - IP address group: The source is an IP address group. An IP address group is a collection of one or more IP addresses. You can select an available IP address group from the drop-down list. An IP address group can help you manage IP address ranges and IP addresses with same security requirements in a more simple way. | | - +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Destination Port Range | The destination port number or port number range. The value ranges from 1 to 65535. For a port number range, enter two port numbers connected by a hyphen (-). For example, **1-100**. | 22, or 22-30 | - | | | | - | | You must specify this parameter if **TCP** or **UDP** is selected for **Protocol**. | | - +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Description | Supplementary information about the firewall rule. This parameter is optional. | N/A | - | | | | - | | The description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | - +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + +------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Parameter | Description | Example Value | + +========================+=======================================================================================================================================================================================================================================================================+=======================+ + | Type | The firewall type. This parameter is mandatory. You can select a value from the drop-down list. Currently, only **IPv4** and **IPv6** are supported. | IPv4 | + +------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Action | The action in the firewall. This parameter is mandatory. You can select a value from the drop-down list. Currently, the value can be **Allow** or **Deny**. | Allow | + +------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Protocol | The protocol supported by the firewall. This parameter is mandatory. You can select a protocol from the drop-down list. | TCP | + | | | | + | | You can select **TCP**, **UDP**, **ICMP**, or **All**. | | + +------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Source | The source from which the traffic is allowed. The source can be an IP address or IP address range. | 0.0.0.0/0 | + | | | | + | | - IP address: | | + | | | | + | | - Single IP address: 192.168.10.10/32 | | + | | - All IP addresses: 0.0.0.0/0 | | + | | - IP address range: 192.168.1.0/24 | | + | | | | + | | - IP address group: A collection of one or more IP addresses. You can select an available IP address group from the drop-down list. An IP address group can help you manage IP address ranges and IP addresses with same security requirements in a more simple way. | | + +------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Source Port Range | The source port number or port number range. The value ranges from 1 to 65535. For a port number range, enter two port numbers connected by a hyphen (-). For example, **1-100**. | 22, or 22-30 | + | | | | + | | You must specify this parameter if **TCP** or **UDP** is selected for **Protocol**. | | + +------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Destination | The destination to which the traffic is allowed. The destination can be an IP address or IP address range. | 0.0.0.0/0 | + | | | | + | | - IP address: | | + | | | | + | | - Single IP address: 192.168.10.10/32 | | + | | - All IP addresses: 0.0.0.0/0 | | + | | - IP address range: 192.168.1.0/24 | | + | | | | + | | - IP address group: A collection of one or more IP addresses. You can select an available IP address group from the drop-down list. An IP address group can help you manage IP address ranges and IP addresses with same security requirements in a more simple way. | | + +------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Destination Port Range | The destination port number or port number range. The value ranges from 1 to 65535. For a port number range, enter two port numbers connected by a hyphen (-). For example, **1-100**. | 22, or 22-30 | + | | | | + | | You must specify this parameter if **TCP** or **UDP** is selected for **Protocol**. | | + +------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Description | Supplementary information about the firewall rule. This parameter is optional. | N/A | + | | | | + | | The description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | + +------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ 7. Click **Confirm**. diff --git a/umn/source/access_control/security_group/adding_a_security_group_rule.rst b/umn/source/access_control/security_group/adding_a_security_group_rule.rst index 8c251fc..aa03d49 100644 --- a/umn/source/access_control/security_group/adding_a_security_group_rule.rst +++ b/umn/source/access_control/security_group/adding_a_security_group_rule.rst @@ -123,35 +123,35 @@ Procedure .. table:: **Table 2** Outbound rule parameter description - +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Parameter | Description | Example Value | - +=======================+====================================================================================================================================================================================================================================================================================================================================================================================================================+=======================+ - | Protocol & Port | The network protocol used to match traffic in a security group rule. | TCP | - | | | | - | | Currently, the value can be **All**, **TCP**, **UDP**, **GRE**, **ICMP**, or more. | | - +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | | **Port**: The port or port range over which traffic can leave your ECS. The value can be from 1 to 65535. | 22, or 22-30 | - +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Type | Source IP address version. You can select: | IPv4 | - | | | | - | | - IPv4 | | - | | - IPv6 | | - +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Destination | Destination of the security group rule. The value can be an IP address or a security group to allow access to IP addresses or instances in the security group. For example: | 0.0.0.0/0 | - | | | | - | | - IP address: | | - | | | | - | | - Single IP address: 192.168.10.10/32 | | - | | - All IP addresses: 0.0.0.0/0 | | - | | - IP address range: 192.168.1.0/24 | | - | | | | - | | - **Security group**: The source is from another security group. You can select a security group in the same region under the current account from the drop-down list. Instance A is in security group A and instance B is in security group B. If security group A has an inbound rule with **Action** set to **Allow** and **Source** set to security group B, access from instance B is allowed to instance A. | | - | | - **IP address group**: An IP address group is a collection of one or more IP addresses. You can select an available IP address group from the drop-down list. An IP address group can help you manage IP address ranges and IP addresses with same security requirements in a more simple way. | | - +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Description | Supplementary information about the security group rule. This parameter is optional. | N/A | - | | | | - | | The security group rule description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | - +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Parameter | Description | Example Value | + +=======================+============================================================================================================================================================================================================================================================================================================================================================================================================================================+=======================+ + | Protocol & Port | The network protocol used to match traffic in a security group rule. | TCP | + | | | | + | | Currently, the value can be **All**, **TCP**, **UDP**, **GRE**, **ICMP**, or more. | | + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | | **Port**: The port or port range over which traffic can leave your ECS. The value can be from 1 to 65535. | 22, or 22-30 | + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Type | Source IP address version. You can select: | IPv4 | + | | | | + | | - IPv4 | | + | | - IPv6 | | + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Destination | Destination of the security group rule. The value can be an IP address or a security group to allow access to IP addresses or instances in the security group. For example: | 0.0.0.0/0 | + | | | | + | | - IP address: | | + | | | | + | | - Single IP address: 192.168.10.10/32 | | + | | - All IP addresses: 0.0.0.0/0 | | + | | - IP address range: 192.168.1.0/24 | | + | | | | + | | - **Security group**: The destination is from another security group. You can select a security group in the same region under the current account from the drop-down list. For example, instance A is in security group A and instance B is in security group B. If security group A has an outbound rule with **Action** set to **Allow** and **Destination** set to security group B, access from instance A is allowed to instance B. | | + | | - IP address group: A collection of one or more IP addresses. You can select an available IP address group from the drop-down list. An IP address group can help you manage IP address ranges and IP addresses with same security requirements in a more simple way. | | + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Description | Supplementary information about the security group rule. This parameter is optional. | N/A | + | | | | + | | The security group rule description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ #. Click **OK**. diff --git a/umn/source/access_control/security_group/security_groups_and_security_group_rules.rst b/umn/source/access_control/security_group/security_groups_and_security_group_rules.rst index b22032a..3998611 100644 --- a/umn/source/access_control/security_group/security_groups_and_security_group_rules.rst +++ b/umn/source/access_control/security_group/security_groups_and_security_group_rules.rst @@ -12,13 +12,24 @@ A security group is a collection of access control rules for cloud resources, su If you have not created any security groups yet, the system automatically creates a default security group for you and associates it with the instance (such as an ECS) when you create it. For details about the default security group, see :ref:`Default Security Group and Its Rules `. -Security groups are stateful. If you send a request from your instance and the outbound traffic is allowed, the response traffic for that request is allowed to flow in regardless of inbound security group rules. Similarly, if inbound traffic is allowed, responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules. +Security Group Basics +--------------------- -Security groups use connection tracking to track traffic to and from instances that they contain and security group rules are applied based on the connection status of the traffic to determine whether to allow or deny traffic. +- Security groups are stateful. If you send a request from your instance and the outbound traffic is allowed, the response traffic for that request is allowed to flow in regardless of inbound security group rules. Similarly, if inbound traffic is allowed, responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules. -- If you add, modify, or delete a security group rule, or add or remove an instance to or from a security group, the inbound connection tracking of all instances in the security group will be automatically cleared. The inbound or outbound traffic of the instance will be considered as new connections, which need to match the inbound or outbound security group rules to ensure that the rules take effect immediately and the security of incoming traffic. +- Security groups use connection tracking to track traffic to and from instances. If the inbound rule of a security group is modified, the new rule immediately takes effect for the existing traffic. Changes to outbound security group rules do not affect existing persistent connections and take effect only for new connections. -- If there is no inbound or outbound traffic of an instance for a long time, the traffic will be considered as new connections after the connection tracking times out, and the connections need to match the outbound and inbound rules. The timeout period of connection tracking varies according to the protocol. The timeout period of a TCP connection in the established state is 600s, and the timeout period of an ICMP connection is 30s. For other protocols, if packets are received in both inbound and outbound directions, the connection tracking timeout period is 180s. If packets are received only in one direction, the connection tracking timeout period is 30s. For protocols other than TCP, UDP, and ICMP, only the IP address and protocol number are tracked. + If you add, modify, or delete a security group rule, or add or remove an instance to or from a security group, the inbound connection of all instances in the security group will be automatically cleared. + + - The existing inbound persistent connections are disconnected. All the new connections matches against the new rules. + - The existing outbound persistent connections will not be disconnected. All the new connections matches against the new rules. + +.. important:: + + After a persistent connection is disconnected, new connection will not be established immediately until the timeout period of connection tracking expires. For example, after an ICMP persistent connection is disconnected, a new connection will be established and a new rule will apply when the timeout period expires(30s). + + - The timeout period of connection tracking varies by protocol. The timeout period of a TCP connection in the established state is 600s, and that of an ICMP connection is 30s. For other protocols, if packets are received in both inbound and outbound directions, the connection tracking timeout period is 180s. If packets are received only in one direction, the connection tracking timeout period is 30s. + - The timeout period of TCP connections varies by connection status. The timeout period of a TCP connection in the established state is 600s, and that of a TCP connection in the FIN-WAIT state is 30s. Security Group Rules -------------------- diff --git a/umn/source/change_history.rst b/umn/source/change_history.rst index 1c35211..b48bd6b 100644 --- a/umn/source/change_history.rst +++ b/umn/source/change_history.rst @@ -8,11 +8,14 @@ Change History +-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Released On | Description | +===================================+====================================================================================================================================================================================================================================================================================================================================+ +| 2024-01-02 | This release incorporates the following changes: | +| | | +| | Modified the parameter descriptions in sections :ref:`Adding a Security Group Rule ` and :ref:`Adding a Firewall Rule `. | ++-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | 2023-12-19 | This release incorporates the following changes: | | | | -| | Added screenshots in :ref:`How Do I Configure a Security Group for Multi-Channel Protocols? `. | -| | | -| | Modified the table in :ref:`Why Can't I Delete My VPCs and Subnets? `. | +| | - Added screenshots in :ref:`How Do I Configure a Security Group for Multi-Channel Protocols? `. | +| | - Modified the table in :ref:`Why Can't I Delete My VPCs and Subnets? `. | +-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | 2023-12-18 | This release incorporates the following changes: | | | | diff --git a/umn/source/faq/security/does_a_security_group_rule_or_a_firewall_rule_immediately_take_effect_for_existing_connections_after_it_is_modified.rst b/umn/source/faq/security/does_a_security_group_rule_or_a_firewall_rule_immediately_take_effect_for_existing_connections_after_it_is_modified.rst index 347adf9..f712623 100644 --- a/umn/source/faq/security/does_a_security_group_rule_or_a_firewall_rule_immediately_take_effect_for_existing_connections_after_it_is_modified.rst +++ b/umn/source/faq/security/does_a_security_group_rule_or_a_firewall_rule_immediately_take_effect_for_existing_connections_after_it_is_modified.rst @@ -5,5 +5,20 @@ Does a Security Group Rule or a Firewall Rule Immediately Take Effect for Existing Connections After It Is Modified? ==================================================================================================================== -- Security groups are stateful. Responses to outbound traffic are allowed to go in to the instance regardless of inbound security group rules, and vice versa. Security groups use connection tracking to track traffic to and from instances. If a security group rule is added, deleted, or modified, or an instance in the security group is created or deleted, the connection tracking for all instances in the security group will be automatically cleared. In this case, the inbound or outbound traffic of the instance will be considered to be new connections, which need to match the inbound or outbound security group rules to ensure that the rules take effect immediately and ensure the security of incoming traffic. -- A modified firewall rule will not immediately take effect for its existing connections. It takes about 120 seconds for the new rule to take effect, and traffic will be interrupted during this period. To ensure that the traffic is immediately interrupted after the rule is changed, it is recommended that you configure security group rules. +- Security groups use connection tracking to track traffic to and from instances. If the inbound rule of a security group is modified, the new rule immediately takes effect for the existing traffic. Changes to outbound security group rules do not affect existing persistent connections and take effect only for new connections. + + If you add, modify, or delete a security group rule, or add or remove an instance to or from a security group, the inbound connection of all instances in the security group will be automatically cleared. + + - The existing inbound persistent connections are disconnected. All the new connections matches against the new rules. + - The existing outbound persistent connections will not be disconnected. All the new connections matches against the new rules. + +- Firewalls use connection tracking to track traffic to and from instances. Changes to inbound and outbound rules do not take effect immediately for the existing traffic. + + If you add, modify, or delete a firewall rule, or add or remove a subnet to or from a firewall, all the inbound and outbound persistent connections will not be disconnected New rules only apply to the new connections. + +.. important:: + + After a persistent connection is disconnected, new connection will not be established immediately until the timeout period of connection tracking expires. For example, after an ICMP persistent connection is disconnected, a new connection will be established and a new rule will apply when the timeout period expires(30s). + + - The timeout period of connection tracking varies by protocol. The timeout period of a TCP connection in the established state is 600s, and that of an ICMP connection is 30s. For other protocols, if packets are received in both inbound and outbound directions, the connection tracking timeout period is 180s. If packets are received only in one direction, the connection tracking timeout period is 30s. + - The timeout period of TCP connections varies by connection status. The timeout period of a TCP connection in the established state is 600s, and that of a TCP connection in the FIN-WAIT state is 30s. diff --git a/umn/source/faq/security/index.rst b/umn/source/faq/security/index.rst index 7aaef8a..8db4944 100644 --- a/umn/source/faq/security/index.rst +++ b/umn/source/faq/security/index.rst @@ -9,7 +9,7 @@ Security - :ref:`Can I Change the Security Group of an ECS? ` - :ref:`How Do I Configure a Security Group for Multi-Channel Protocols? ` - :ref:`Does a Security Group Rule or a Firewall Rule Immediately Take Effect for Existing Connections After It Is Modified? ` -- :ref:`Which Security Group Rule Has Priority When Multiple Security Group Rules Conflict? ` +- :ref:`Which Security Group Rule Has a High Priority When Multiple Security Group Rules Conflict? ` .. toctree:: :maxdepth: 1 @@ -19,4 +19,4 @@ Security can_i_change_the_security_group_of_an_ecs how_do_i_configure_a_security_group_for_multi-channel_protocols does_a_security_group_rule_or_a_firewall_rule_immediately_take_effect_for_existing_connections_after_it_is_modified - which_security_group_rule_has_priority_when_multiple_security_group_rules_conflict + which_security_group_rule_has_a_high_priority_when_multiple_security_group_rules_conflict diff --git a/umn/source/faq/security/which_security_group_rule_has_priority_when_multiple_security_group_rules_conflict.rst b/umn/source/faq/security/which_security_group_rule_has_a_high_priority_when_multiple_security_group_rules_conflict.rst similarity index 68% rename from umn/source/faq/security/which_security_group_rule_has_priority_when_multiple_security_group_rules_conflict.rst rename to umn/source/faq/security/which_security_group_rule_has_a_high_priority_when_multiple_security_group_rules_conflict.rst index 0a37bad..e5dad49 100644 --- a/umn/source/faq/security/which_security_group_rule_has_priority_when_multiple_security_group_rules_conflict.rst +++ b/umn/source/faq/security/which_security_group_rule_has_a_high_priority_when_multiple_security_group_rules_conflict.rst @@ -2,7 +2,7 @@ .. _vpc_faq_0077: -Which Security Group Rule Has Priority When Multiple Security Group Rules Conflict? -=================================================================================== +Which Security Group Rule Has a High Priority When Multiple Security Group Rules Conflict? +========================================================================================== Security group rules use the whitelist mechanism. If multiple security group rules conflict, the rules are aggregated to take effect. diff --git a/umn/source/getting_started/configuring_a_vpc_for_ecss_that_access_the_internet_using_eips/step_5_add_a_security_group_rule.rst b/umn/source/getting_started/configuring_a_vpc_for_ecss_that_access_the_internet_using_eips/step_5_add_a_security_group_rule.rst index 35995f1..94054e3 100644 --- a/umn/source/getting_started/configuring_a_vpc_for_ecss_that_access_the_internet_using_eips/step_5_add_a_security_group_rule.rst +++ b/umn/source/getting_started/configuring_a_vpc_for_ecss_that_access_the_internet_using_eips/step_5_add_a_security_group_rule.rst @@ -117,35 +117,35 @@ Procedure .. table:: **Table 2** Outbound rule parameter description - +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Parameter | Description | Example Value | - +=======================+====================================================================================================================================================================================================================================================================================================================================================================================================================+=======================+ - | Protocol & Port | The network protocol used to match traffic in a security group rule. | TCP | - | | | | - | | Currently, the value can be **All**, **TCP**, **UDP**, **GRE**, **ICMP**, or more. | | - +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | | **Port**: The port or port range over which traffic can leave your ECS. The value can be from 1 to 65535. | 22, or 22-30 | - +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Type | Source IP address version. You can select: | IPv4 | - | | | | - | | - IPv4 | | - | | - IPv6 | | - +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Destination | Destination of the security group rule. The value can be an IP address or a security group to allow access to IP addresses or instances in the security group. For example: | 0.0.0.0/0 | - | | | | - | | - IP address: | | - | | | | - | | - Single IP address: 192.168.10.10/32 | | - | | - All IP addresses: 0.0.0.0/0 | | - | | - IP address range: 192.168.1.0/24 | | - | | | | - | | - **Security group**: The source is from another security group. You can select a security group in the same region under the current account from the drop-down list. Instance A is in security group A and instance B is in security group B. If security group A has an inbound rule with **Action** set to **Allow** and **Source** set to security group B, access from instance B is allowed to instance A. | | - | | - **IP address group**: An IP address group is a collection of one or more IP addresses. You can select an available IP address group from the drop-down list. An IP address group can help you manage IP address ranges and IP addresses with same security requirements in a more simple way. | | - +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Description | Supplementary information about the security group rule. This parameter is optional. | N/A | - | | | | - | | The security group rule description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | - +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Parameter | Description | Example Value | + +=======================+============================================================================================================================================================================================================================================================================================================================================================================================================================================+=======================+ + | Protocol & Port | The network protocol used to match traffic in a security group rule. | TCP | + | | | | + | | Currently, the value can be **All**, **TCP**, **UDP**, **GRE**, **ICMP**, or more. | | + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | | **Port**: The port or port range over which traffic can leave your ECS. The value can be from 1 to 65535. | 22, or 22-30 | + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Type | Source IP address version. You can select: | IPv4 | + | | | | + | | - IPv4 | | + | | - IPv6 | | + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Destination | Destination of the security group rule. The value can be an IP address or a security group to allow access to IP addresses or instances in the security group. For example: | 0.0.0.0/0 | + | | | | + | | - IP address: | | + | | | | + | | - Single IP address: 192.168.10.10/32 | | + | | - All IP addresses: 0.0.0.0/0 | | + | | - IP address range: 192.168.1.0/24 | | + | | | | + | | - **Security group**: The destination is from another security group. You can select a security group in the same region under the current account from the drop-down list. For example, instance A is in security group A and instance B is in security group B. If security group A has an outbound rule with **Action** set to **Allow** and **Destination** set to security group B, access from instance A is allowed to instance B. | | + | | - IP address group: A collection of one or more IP addresses. You can select an available IP address group from the drop-down list. An IP address group can help you manage IP address ranges and IP addresses with same security requirements in a more simple way. | | + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Description | Supplementary information about the security group rule. This parameter is optional. | N/A | + | | | | + | | The security group rule description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ #. Click **OK**. diff --git a/umn/source/getting_started/configuring_a_vpc_for_ecss_that_do_not_require_internet_access/step_4_add_a_security_group_rule.rst b/umn/source/getting_started/configuring_a_vpc_for_ecss_that_do_not_require_internet_access/step_4_add_a_security_group_rule.rst index 7061242..8ced623 100644 --- a/umn/source/getting_started/configuring_a_vpc_for_ecss_that_do_not_require_internet_access/step_4_add_a_security_group_rule.rst +++ b/umn/source/getting_started/configuring_a_vpc_for_ecss_that_do_not_require_internet_access/step_4_add_a_security_group_rule.rst @@ -117,35 +117,35 @@ Procedure .. table:: **Table 2** Outbound rule parameter description - +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Parameter | Description | Example Value | - +=======================+====================================================================================================================================================================================================================================================================================================================================================================================================================+=======================+ - | Protocol & Port | The network protocol used to match traffic in a security group rule. | TCP | - | | | | - | | Currently, the value can be **All**, **TCP**, **UDP**, **GRE**, **ICMP**, or more. | | - +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | | **Port**: The port or port range over which traffic can leave your ECS. The value can be from 1 to 65535. | 22, or 22-30 | - +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Type | Source IP address version. You can select: | IPv4 | - | | | | - | | - IPv4 | | - | | - IPv6 | | - +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Destination | Destination of the security group rule. The value can be an IP address or a security group to allow access to IP addresses or instances in the security group. For example: | 0.0.0.0/0 | - | | | | - | | - IP address: | | - | | | | - | | - Single IP address: 192.168.10.10/32 | | - | | - All IP addresses: 0.0.0.0/0 | | - | | - IP address range: 192.168.1.0/24 | | - | | | | - | | - **Security group**: The source is from another security group. You can select a security group in the same region under the current account from the drop-down list. Instance A is in security group A and instance B is in security group B. If security group A has an inbound rule with **Action** set to **Allow** and **Source** set to security group B, access from instance B is allowed to instance A. | | - | | - **IP address group**: An IP address group is a collection of one or more IP addresses. You can select an available IP address group from the drop-down list. An IP address group can help you manage IP address ranges and IP addresses with same security requirements in a more simple way. | | - +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Description | Supplementary information about the security group rule. This parameter is optional. | N/A | - | | | | - | | The security group rule description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | - +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Parameter | Description | Example Value | + +=======================+============================================================================================================================================================================================================================================================================================================================================================================================================================================+=======================+ + | Protocol & Port | The network protocol used to match traffic in a security group rule. | TCP | + | | | | + | | Currently, the value can be **All**, **TCP**, **UDP**, **GRE**, **ICMP**, or more. | | + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | | **Port**: The port or port range over which traffic can leave your ECS. The value can be from 1 to 65535. | 22, or 22-30 | + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Type | Source IP address version. You can select: | IPv4 | + | | | | + | | - IPv4 | | + | | - IPv6 | | + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Destination | Destination of the security group rule. The value can be an IP address or a security group to allow access to IP addresses or instances in the security group. For example: | 0.0.0.0/0 | + | | | | + | | - IP address: | | + | | | | + | | - Single IP address: 192.168.10.10/32 | | + | | - All IP addresses: 0.0.0.0/0 | | + | | - IP address range: 192.168.1.0/24 | | + | | | | + | | - **Security group**: The destination is from another security group. You can select a security group in the same region under the current account from the drop-down list. For example, instance A is in security group A and instance B is in security group B. If security group A has an outbound rule with **Action** set to **Allow** and **Destination** set to security group B, access from instance A is allowed to instance B. | | + | | - IP address group: A collection of one or more IP addresses. You can select an available IP address group from the drop-down list. An IP address group can help you manage IP address ranges and IP addresses with same security requirements in a more simple way. | | + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Description | Supplementary information about the security group rule. This parameter is optional. | N/A | + | | | | + | | The security group rule description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ #. Click **OK**. diff --git a/umn/source/route_tables/route_tables_and_routes.rst b/umn/source/route_tables/route_tables_and_routes.rst index c7255a9..e5e826f 100644 --- a/umn/source/route_tables/route_tables_and_routes.rst +++ b/umn/source/route_tables/route_tables_and_routes.rst @@ -66,8 +66,7 @@ You can add routes to default and custom route tables and configure the destinat | Extension NIC | Traffic intended for the destination is forwarded to the extension NIC of an ECS in the VPC. | - Default route table | | | | - Custom route table | +--------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+ - | BMS user-defined network | Traffic intended for the destination is forwarded to a BMS user-defined network. Currently, this parameter is available only in eu-de. | - Default route table | - | | | - Custom route table | + | BMS user-defined network | Traffic intended for the destination is forwarded to a BMS user-defined network. Currently, this parameter is available only in eu-de. | - Custom route table | +--------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+ | VPN connection | Traffic intended for the destination is forwarded to a VPN gateway. | Custom route table | +--------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+ diff --git a/umn/source/service_overview/basic_concepts/route_table.rst b/umn/source/service_overview/basic_concepts/route_table.rst index 99cd92a..244736b 100644 --- a/umn/source/service_overview/basic_concepts/route_table.rst +++ b/umn/source/service_overview/basic_concepts/route_table.rst @@ -66,8 +66,7 @@ You can add routes to default and custom route tables and configure the destinat | Extension NIC | Traffic intended for the destination is forwarded to the extension NIC of an ECS in the VPC. | - Default route table | | | | - Custom route table | +--------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+ - | BMS user-defined network | Traffic intended for the destination is forwarded to a BMS user-defined network. Currently, this parameter is available only in eu-de. | - Default route table | - | | | - Custom route table | + | BMS user-defined network | Traffic intended for the destination is forwarded to a BMS user-defined network. Currently, this parameter is available only in eu-de. | - Custom route table | +--------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+ | VPN connection | Traffic intended for the destination is forwarded to a VPN gateway. | Custom route table | +--------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+ diff --git a/umn/source/service_overview/basic_concepts/subnet.rst b/umn/source/service_overview/basic_concepts/subnet.rst index d34d26a..6da329a 100644 --- a/umn/source/service_overview/basic_concepts/subnet.rst +++ b/umn/source/service_overview/basic_concepts/subnet.rst @@ -7,7 +7,7 @@ Subnet A subnet is a unique CIDR block with a range of IP addresses in a VPC. All resources in a VPC must be deployed on subnets. -- By default, all instances in different subnets of the same VPC can communicate with each other and the subnets can be located in different AZs. For example, VPC-A has subnet A01 in AZ A and subnet A02 in AZ B. Subnet A01 and subnet B01 can communicate with each other by default. +- By default, all instances in different subnets of the same VPC can communicate with each other and the subnets can be located in different AZs. If you have a VPC with two subnets in it and they are located in different AZs, they can communicate with each other by default. - After a subnet is created, its CIDR block cannot be modified. Subnets in the same VPC cannot overlap. diff --git a/umn/source/service_overview/permissions.rst b/umn/source/service_overview/permissions.rst index 905be36..c9322b0 100644 --- a/umn/source/service_overview/permissions.rst +++ b/umn/source/service_overview/permissions.rst @@ -31,17 +31,17 @@ You can grant permissions by using roles and policies. .. table:: **Table 1** System-defined permissions for VPC - +--------------------+-------------------------------------------------------------------------------------------------------------------------+-----------------------+------------------------------------------------------------------------------------------------------------------------------+ - | Policy Name | Description | Policy Type | Dependencies | - +====================+=========================================================================================================================+=======================+==============================================================================================================================+ - | VPC FullAccess | Full permissions for VPC | System-defined policy | To use the VPC flow log function, users must also have the **LTS ReadOnlyAccess** permission. | - +--------------------+-------------------------------------------------------------------------------------------------------------------------+-----------------------+------------------------------------------------------------------------------------------------------------------------------+ - | VPC ReadOnlyAccess | Read-only permissions on VPC. | System-defined policy | None | - +--------------------+-------------------------------------------------------------------------------------------------------------------------+-----------------------+------------------------------------------------------------------------------------------------------------------------------+ - | VPC Administrator | Most permissions on VPC, excluding creating, modifying, deleting, and viewing security groups and security group rules. | System-defined role | **Tenant Guest** and **Server Administrator** policies, which must be attached in the same project as **VPC Administrator**. | - | | | | | - | | To be granted this permission, users must also have the **Tenant Guest** and **Server Administrator** permission. | | | - +--------------------+-------------------------------------------------------------------------------------------------------------------------+-----------------------+------------------------------------------------------------------------------------------------------------------------------+ + +-------------------+-------------------------------------------------------------------------------------------------------------------------+-----------------------+------------------------------------------------------------------------------------------------------------------------------+ + | Policy Name | Description | Policy Type | Dependencies | + +===================+=========================================================================================================================+=======================+==============================================================================================================================+ + | VPCFullAccess | Full permissions for VPC | System-defined policy | To use the VPC flow log function, users must also have the **LTS ReadOnlyAccess** permission. | + +-------------------+-------------------------------------------------------------------------------------------------------------------------+-----------------------+------------------------------------------------------------------------------------------------------------------------------+ + | VPCReadOnlyAccess | Read-only permissions on VPC. | System-defined policy | None | + +-------------------+-------------------------------------------------------------------------------------------------------------------------+-----------------------+------------------------------------------------------------------------------------------------------------------------------+ + | VPC Administrator | Most permissions on VPC, excluding creating, modifying, deleting, and viewing security groups and security group rules. | System-defined role | **Tenant Guest** and **Server Administrator** policies, which must be attached in the same project as **VPC Administrator**. | + | | | | | + | | To be granted this permission, users must also have the **Tenant Guest** and **Server Administrator** permission. | | | + +-------------------+-------------------------------------------------------------------------------------------------------------------------+-----------------------+------------------------------------------------------------------------------------------------------------------------------+ :ref:`Table 2 ` lists the common operations supported by system-defined permissions for VPC. @@ -49,89 +49,89 @@ You can grant permissions by using roles and policies. .. table:: **Table 2** Common operations supported by system-defined permissions - +--------------------------------------------+--------------------+-------------------+----------------+ - | Operation | VPC ReadOnlyAccess | VPC Administrator | VPC FullAccess | - +============================================+====================+===================+================+ - | Creating a VPC | x | Y | Y | - +--------------------------------------------+--------------------+-------------------+----------------+ - | Modifying a VPC | x | Y | Y | - +--------------------------------------------+--------------------+-------------------+----------------+ - | Deleting a VPC | x | Y | Y | - +--------------------------------------------+--------------------+-------------------+----------------+ - | Viewing VPC information | Y | Y | Y | - +--------------------------------------------+--------------------+-------------------+----------------+ - | Creating a subnet | x | Y | Y | - +--------------------------------------------+--------------------+-------------------+----------------+ - | Viewing subnet information | Y | Y | Y | - +--------------------------------------------+--------------------+-------------------+----------------+ - | Modifying a subnet | x | Y | Y | - +--------------------------------------------+--------------------+-------------------+----------------+ - | Deleting a subnet | x | Y | Y | - +--------------------------------------------+--------------------+-------------------+----------------+ - | Creating a security group | x | x | Y | - +--------------------------------------------+--------------------+-------------------+----------------+ - | Viewing security group information | Y | x | Y | - +--------------------------------------------+--------------------+-------------------+----------------+ - | Modifying a security group | x | x | Y | - +--------------------------------------------+--------------------+-------------------+----------------+ - | Deleting a security group | x | x | Y | - +--------------------------------------------+--------------------+-------------------+----------------+ - | Adding a security group rule | x | x | Y | - +--------------------------------------------+--------------------+-------------------+----------------+ - | Viewing a security group rule | Y | x | Y | - +--------------------------------------------+--------------------+-------------------+----------------+ - | Modifying a security group rule | x | x | Y | - +--------------------------------------------+--------------------+-------------------+----------------+ - | Deleting a security group rule | x | x | Y | - +--------------------------------------------+--------------------+-------------------+----------------+ - | Creating a firewall | x | Y | Y | - +--------------------------------------------+--------------------+-------------------+----------------+ - | Viewing a firewall | Y | Y | Y | - +--------------------------------------------+--------------------+-------------------+----------------+ - | Modifying a firewall | x | Y | Y | - +--------------------------------------------+--------------------+-------------------+----------------+ - | Deleting a firewall | x | Y | Y | - +--------------------------------------------+--------------------+-------------------+----------------+ - | Adding a firewall rule | x | Y | Y | - +--------------------------------------------+--------------------+-------------------+----------------+ - | Modifying a firewall rule | x | Y | Y | - +--------------------------------------------+--------------------+-------------------+----------------+ - | Deleting a firewall rule | x | Y | Y | - +--------------------------------------------+--------------------+-------------------+----------------+ - | Creating a VPC peering connection | x | Y | Y | - +--------------------------------------------+--------------------+-------------------+----------------+ - | Modifying a VPC peering connection | x | Y | Y | - +--------------------------------------------+--------------------+-------------------+----------------+ - | Deleting a VPC peering connection | x | Y | Y | - +--------------------------------------------+--------------------+-------------------+----------------+ - | Querying a VPC peering connection | Y | Y | Y | - +--------------------------------------------+--------------------+-------------------+----------------+ - | Accepting a VPC peering connection request | x | Y | Y | - +--------------------------------------------+--------------------+-------------------+----------------+ - | Rejecting a VPC peering connection request | x | Y | Y | - +--------------------------------------------+--------------------+-------------------+----------------+ - | Creating a route table | x | Y | Y | - +--------------------------------------------+--------------------+-------------------+----------------+ - | Deleting a route table | x | Y | Y | - +--------------------------------------------+--------------------+-------------------+----------------+ - | Modifying a route table | x | Y | Y | - +--------------------------------------------+--------------------+-------------------+----------------+ - | Associating a route table with a subnet | x | Y | Y | - +--------------------------------------------+--------------------+-------------------+----------------+ - | Adding a route | x | Y | Y | - +--------------------------------------------+--------------------+-------------------+----------------+ - | Modifying a route | x | Y | Y | - +--------------------------------------------+--------------------+-------------------+----------------+ - | Deleting a route | x | Y | Y | - +--------------------------------------------+--------------------+-------------------+----------------+ - | Creating a VPC flow log | x | Y | Y | - +--------------------------------------------+--------------------+-------------------+----------------+ - | Viewing a VPC flow log | Y | Y | Y | - +--------------------------------------------+--------------------+-------------------+----------------+ - | Enabling or disabling a VPC flow log | x | Y | Y | - +--------------------------------------------+--------------------+-------------------+----------------+ - | Deleting a VPC flow log | x | Y | Y | - +--------------------------------------------+--------------------+-------------------+----------------+ + +--------------------------------------------+-------------------+-------------------+---------------+ + | Operation | VPCReadOnlyAccess | VPC Administrator | VPCFullAccess | + +============================================+===================+===================+===============+ + | Creating a VPC | x | Y | Y | + +--------------------------------------------+-------------------+-------------------+---------------+ + | Modifying a VPC | x | Y | Y | + +--------------------------------------------+-------------------+-------------------+---------------+ + | Deleting a VPC | x | Y | Y | + +--------------------------------------------+-------------------+-------------------+---------------+ + | Viewing VPC information | Y | Y | Y | + +--------------------------------------------+-------------------+-------------------+---------------+ + | Creating a subnet | x | Y | Y | + +--------------------------------------------+-------------------+-------------------+---------------+ + | Viewing subnet information | Y | Y | Y | + +--------------------------------------------+-------------------+-------------------+---------------+ + | Modifying a subnet | x | Y | Y | + +--------------------------------------------+-------------------+-------------------+---------------+ + | Deleting a subnet | x | Y | Y | + +--------------------------------------------+-------------------+-------------------+---------------+ + | Creating a security group | x | x | Y | + +--------------------------------------------+-------------------+-------------------+---------------+ + | Viewing security group information | Y | x | Y | + +--------------------------------------------+-------------------+-------------------+---------------+ + | Modifying a security group | x | x | Y | + +--------------------------------------------+-------------------+-------------------+---------------+ + | Deleting a security group | x | x | Y | + +--------------------------------------------+-------------------+-------------------+---------------+ + | Adding a security group rule | x | x | Y | + +--------------------------------------------+-------------------+-------------------+---------------+ + | Viewing a security group rule | Y | x | Y | + +--------------------------------------------+-------------------+-------------------+---------------+ + | Modifying a security group rule | x | x | Y | + +--------------------------------------------+-------------------+-------------------+---------------+ + | Deleting a security group rule | x | x | Y | + +--------------------------------------------+-------------------+-------------------+---------------+ + | Creating a firewall | x | Y | Y | + +--------------------------------------------+-------------------+-------------------+---------------+ + | Viewing a firewall | Y | Y | Y | + +--------------------------------------------+-------------------+-------------------+---------------+ + | Modifying a firewall | x | Y | Y | + +--------------------------------------------+-------------------+-------------------+---------------+ + | Deleting a firewall | x | Y | Y | + +--------------------------------------------+-------------------+-------------------+---------------+ + | Adding a firewall rule | x | Y | Y | + +--------------------------------------------+-------------------+-------------------+---------------+ + | Modifying a firewall rule | x | Y | Y | + +--------------------------------------------+-------------------+-------------------+---------------+ + | Deleting a firewall rule | x | Y | Y | + +--------------------------------------------+-------------------+-------------------+---------------+ + | Creating a VPC peering connection | x | Y | Y | + +--------------------------------------------+-------------------+-------------------+---------------+ + | Modifying a VPC peering connection | x | Y | Y | + +--------------------------------------------+-------------------+-------------------+---------------+ + | Deleting a VPC peering connection | x | Y | Y | + +--------------------------------------------+-------------------+-------------------+---------------+ + | Querying a VPC peering connection | Y | Y | Y | + +--------------------------------------------+-------------------+-------------------+---------------+ + | Accepting a VPC peering connection request | x | Y | Y | + +--------------------------------------------+-------------------+-------------------+---------------+ + | Rejecting a VPC peering connection request | x | Y | Y | + +--------------------------------------------+-------------------+-------------------+---------------+ + | Creating a route table | x | Y | Y | + +--------------------------------------------+-------------------+-------------------+---------------+ + | Deleting a route table | x | Y | Y | + +--------------------------------------------+-------------------+-------------------+---------------+ + | Modifying a route table | x | Y | Y | + +--------------------------------------------+-------------------+-------------------+---------------+ + | Associating a route table with a subnet | x | Y | Y | + +--------------------------------------------+-------------------+-------------------+---------------+ + | Adding a route | x | Y | Y | + +--------------------------------------------+-------------------+-------------------+---------------+ + | Modifying a route | x | Y | Y | + +--------------------------------------------+-------------------+-------------------+---------------+ + | Deleting a route | x | Y | Y | + +--------------------------------------------+-------------------+-------------------+---------------+ + | Creating a VPC flow log | x | Y | Y | + +--------------------------------------------+-------------------+-------------------+---------------+ + | Viewing a VPC flow log | Y | Y | Y | + +--------------------------------------------+-------------------+-------------------+---------------+ + | Enabling or disabling a VPC flow log | x | Y | Y | + +--------------------------------------------+-------------------+-------------------+---------------+ + | Deleting a VPC flow log | x | Y | Y | + +--------------------------------------------+-------------------+-------------------+---------------+ Helpful Links ------------- diff --git a/umn/source/vpc_and_subnet/ipv4_and_ipv6_dual-stack_network.rst b/umn/source/vpc_and_subnet/ipv4_and_ipv6_dual-stack_network.rst index fcd107e..b0db93e 100644 --- a/umn/source/vpc_and_subnet/ipv4_and_ipv6_dual-stack_network.rst +++ b/umn/source/vpc_and_subnet/ipv4_and_ipv6_dual-stack_network.rst @@ -58,7 +58,9 @@ Basic Operations **Creating an IPv6 Subnet** -Create an IPv6 subnet by following the instructions in :ref:`Creating a Subnet for the VPC `. Select **Enable** for **IPv6 CIDR Block**. An IPv6 CIDR block will be automatically assigned to the subnet. IPv6 cannot be disabled after the subnet is created. Currently, customizing IPv6 CIDR block is not supported. +Create an IPv6 subnet by following the instructions in :ref:`Creating a Subnet for the VPC `. Select **Enable** for **IPv6 CIDR Block**. An IPv6 CIDR block will be automatically assigned to the subnet. IPv6 cannot be disabled after the subnet is created. + +To disable this function, call the API by referring to `Updating Subnet Information `__. **Viewing In-Use IPv6 Addresses**