sgode/virtual-private-cloud
1
0
Fork 0
forked from docs/virtual-private-cloud
Code Pull Requests Activity

Update content

Browse Source
This commit is contained in:
OpenTelekomCloud Proposal Bot 2024-01-05 03:44:12 +00:00
parent 4fdb1b87ad
commit db544abd79
17 changed files with 350 additions and 304 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
umn/source/access_control/differences_between_security_groups_and_firewalls.rst
View File

@ -5,9 +5,9 @@
Differences Between Security Groups and Firewalls Differences Between Security Groups and Firewalls
================================================= =================================================
You can configure security groups and firewalls to increase the security of ECSs in your VPC. You can configure firewall and security group rules to protect the instances in your VPC, such as ECSs, databases, and CCI.
- Security groups operate at the ECS level. - A security group protects the instances in it.
- Firewalls protect associated subnets and all the resources in the subnets. - Firewalls protect associated subnets and all the resources in the subnets.
For details, see :ref:`Figure 1 <en-us_topic_0052003963__fig9582182315479>`. For details, see :ref:`Figure 1 <en-us_topic_0052003963__fig9582182315479>`.
@ -23,18 +23,22 @@ For details, see :ref:`Figure 1 <en-us_topic_0052003963__fig9582182315479>`.
.. _en-us_topic_0052003963__table53053071174845: .. _en-us_topic_0052003963__table53053071174845:
.. table:: **Table 1** Differences between security groups and firewalls .. table:: **Table 1** Differences between security groups firewalls
+----------+------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Category | Security Group | Firewall | | Category | Security Group | Firewall |
+==========+================================================================================================================================================+=============================================================================================================================================================================================================================================================================================================================+ +=======================+=================================================================================================================================================================================+===========================================================================================================================================================================================================================================================+
| Scope | Operates at the ECS level. | Operates at the subnet level. | | Protection Scope | Protects instances in a security group, such as ECSs, databases, and CCI. | Protects subnets and all the instances in the subnets. |
+----------+------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Rules | Does not support **Allow** or **Deny** rules. | Supports both **Allow** and **Deny** rules. | | Rules | Does not support **Allow** or **Deny** rules. | Supports both **Allow** and **Deny** rules. |
+----------+------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Priority | If there are conflicting rules, they are combined and applied together. | If rules conflict, the rule with the highest priority takes effect. | | Priority | If there are conflicting rules, they are combined and applied together. | If rules conflict, the rule with the highest priority takes effect. |
+----------+------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Usage | Automatically applies to ECSs in the security group that is selected during ECS creation. You must select a security group when creating ECSs. | Applies to all ECSs in the subnets associated with the firewall. Selecting a firewall is not allowed during subnet creation. You must create a firewall, associate subnets with it, add inbound and outbound rules, and enable firewall. The firewall then takes effect for the associated subnets and ECSs in the subnets. | | Usage | - When creating an instance, such as an ECS, you must select a security group. If you do not have a security group, the system automatically creates a default security group. | Selecting a firewall is not allowed when you create a subnet. You must create a firewall, add inbound and outbound rules, associate subnets with it, and enable firewall. The firewall then protects the associated subnets and instances in the subnets. |
+----------+------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | | - After creating an instance, you can: | |
| Packets | Only packet filtering based on the 3-tuple (protocol, port, and peer IP address) is supported. | Only packet filtering based on the 5-tuple (protocol, source port, destination port, source IP address, and destination IP address) is supported. | | | | |
+----------+------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | | - Add or remove instances on the security group console. | |
| | - Add or remove a security group for an instance on the instance console. | |
+-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Packets | Only packet filtering based on the 3-tuple (protocol, port, and peer IP address) is supported. | Only packet filtering based on the 5-tuple (protocol, source port, destination port, source IP address, and destination IP address) is supported. |
+-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

86
umn/source/access_control/firewall/adding_a_firewall_rule.rst
View File

@ -43,49 +43,49 @@ Procedure
.. table:: **Table 1** Parameter descriptions .. table:: **Table 1** Parameter descriptions
+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ +------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+
| Parameter | Description | Example Value | | Parameter | Description | Example Value |
+========================+=================================================================================================================================================================================================================================================================================================================================+=======================+ +========================+=======================================================================================================================================================================================================================================================================+=======================+
| Type | The firewall type. This parameter is mandatory. You can select a value from the drop-down list. Currently, only **IPv4** and **IPv6** are supported. | IPv4 | | Type | The firewall type. This parameter is mandatory. You can select a value from the drop-down list. Currently, only **IPv4** and **IPv6** are supported. | IPv4 |
+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ +------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+
| Action | The action in the firewall. This parameter is mandatory. You can select a value from the drop-down list. Currently, the value can be **Allow** or **Deny**. | Allow | | Action | The action in the firewall. This parameter is mandatory. You can select a value from the drop-down list. Currently, the value can be **Allow** or **Deny**. | Allow |
+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ +------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+
| Protocol | The protocol supported by the firewall. This parameter is mandatory. You can select a protocol from the drop-down list. | TCP | | Protocol | The protocol supported by the firewall. This parameter is mandatory. You can select a protocol from the drop-down list. | TCP |
| | | | | | | |
| | You can select **TCP**, **UDP**, **ICMP**, or **All**. | | | | You can select **TCP**, **UDP**, **ICMP**, or **All**. | |
+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ +------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+
| Source | The source from which the traffic is allowed. The source can be an IP address or IP address range. | 0.0.0.0/0 | | Source | The source from which the traffic is allowed. The source can be an IP address or IP address range. | 0.0.0.0/0 |
| | | | | | | |
| | - IP address: | | | | - IP address: | |
| | | | | | | |
| | - Single IP address: 192.168.10.10/32 | | | | - Single IP address: 192.168.10.10/32 | |
| | - All IP addresses: 0.0.0.0/0 | | | | - All IP addresses: 0.0.0.0/0 | |
| | - IP address range: 192.168.1.0/24 | | | | - IP address range: 192.168.1.0/24 | |
| | | | | | | |
| | - IP address group: The source is an IP address group. An IP address group is a collection of one or more IP addresses. You can select an available IP address group from the drop-down list. An IP address group can help you manage IP address ranges and IP addresses with same security requirements in a more simple way. | | | | - IP address group: A collection of one or more IP addresses. You can select an available IP address group from the drop-down list. An IP address group can help you manage IP address ranges and IP addresses with same security requirements in a more simple way. | |
+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ +------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+
| Source Port Range | The source port number or port number range. The value ranges from 1 to 65535. For a port number range, enter two port numbers connected by a hyphen (-). For example, **1-100**. | 22, or 22-30 | | Source Port Range | The source port number or port number range. The value ranges from 1 to 65535. For a port number range, enter two port numbers connected by a hyphen (-). For example, **1-100**. | 22, or 22-30 |
| | | | | | | |
| | You must specify this parameter if **TCP** or **UDP** is selected for **Protocol**. | | | | You must specify this parameter if **TCP** or **UDP** is selected for **Protocol**. | |
+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ +------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+
| Destination | The destination to which the traffic is allowed. The destination can be an IP address or IP address range. | 0.0.0.0/0 | | Destination | The destination to which the traffic is allowed. The destination can be an IP address or IP address range. | 0.0.0.0/0 |
| | | | | | | |
| | - IP address: | | | | - IP address: | |
| | | | | | | |
| | - Single IP address: 192.168.10.10/32 | | | | - Single IP address: 192.168.10.10/32 | |
| | - All IP addresses: 0.0.0.0/0 | | | | - All IP addresses: 0.0.0.0/0 | |
| | - IP address range: 192.168.1.0/24 | | | | - IP address range: 192.168.1.0/24 | |
| | | | | | | |
| | - IP address group: The source is an IP address group. An IP address group is a collection of one or more IP addresses. You can select an available IP address group from the drop-down list. An IP address group can help you manage IP address ranges and IP addresses with same security requirements in a more simple way. | | | | - IP address group: A collection of one or more IP addresses. You can select an available IP address group from the drop-down list. An IP address group can help you manage IP address ranges and IP addresses with same security requirements in a more simple way. | |
+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ +------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+
| Destination Port Range | The destination port number or port number range. The value ranges from 1 to 65535. For a port number range, enter two port numbers connected by a hyphen (-). For example, **1-100**. | 22, or 22-30 | | Destination Port Range | The destination port number or port number range. The value ranges from 1 to 65535. For a port number range, enter two port numbers connected by a hyphen (-). For example, **1-100**. | 22, or 22-30 |
| | | | | | | |
| | You must specify this parameter if **TCP** or **UDP** is selected for **Protocol**. | | | | You must specify this parameter if **TCP** or **UDP** is selected for **Protocol**. | |
+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ +------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+
| Description | Supplementary information about the firewall rule. This parameter is optional. | N/A | | Description | Supplementary information about the firewall rule. This parameter is optional. | N/A |
| | | | | | | |
| | The description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | | | The description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | |
+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ +------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+
7. Click **OK**. 7. Click **OK**.

17
umn/source/access_control/firewall/firewall_overview.rst
View File

@ -24,9 +24,22 @@ Firewall Basics
--------------- ---------------
- Your VPC does not come with a firewall, but you can create a firewall and associate it with a VPC subnet if required. By default, each firewall denies all inbound traffic to and outbound traffic from the associated subnet until you add rules. - Your VPC does not come with a firewall, but you can create a firewall and associate it with a VPC subnet if required. By default, each firewall denies all inbound traffic to and outbound traffic from the associated subnet until you add rules.
- You can associate a firewall with multiple subnets. However, a subnet can only be associated with one firewall at a time. - You can associate a firewall with multiple subnets. However, a subnet can only be associated with one firewall at a time.
- Each newly created firewall is in the **Inactive** state until you associate subnets with it. - Each newly created firewall is in the **Inactive** state until you associate subnets with it.
- Firewalls use connection tracking to track traffic to and from instances. Changes to inbound and outbound rules do not take effect immediately for the existing traffic.
If you add, modify, or delete a firewall rule, or add or remove a subnet to or from a firewall, all the inbound and outbound persistent connections will not be disconnected New rules only apply to the new connections.
.. important::
After a persistent connection is disconnected, new connection will not be established immediately until the timeout period of connection tracking expires. For example, after an ICMP persistent connection is disconnected, a new connection will be established and a new rule will apply when the timeout period expires(30s).
- The timeout period of connection tracking varies by protocol. The timeout period of a TCP connection in the established state is 600s, and that of an ICMP connection is 30s. For other protocols, if packets are received in both inbound and outbound directions, the connection tracking timeout period is 180s. If packets are received only in one direction, the connection tracking timeout period is 30s.
- The timeout period of TCP connections varies by connection status. The timeout period of a TCP connection in the established state is 600s, and that of a TCP connection in the FIN-WAIT state is 30s.
.. _acl_0001__section99541345213: .. _acl_0001__section99541345213:
Default Firewall Rules Default Firewall Rules
@ -58,8 +71,8 @@ By default, each firewall has preset rules that allow the following packets:
| Outbound | \* | Deny | All | 0.0.0.0/0 | 0.0.0.0/0 | Denies all outbound traffic. | | Outbound | \* | Deny | All | 0.0.0.0/0 | 0.0.0.0/0 | Denies all outbound traffic. |
+-----------+----------+--------+----------+-----------+-------------+------------------------------+ +-----------+----------+--------+----------+-----------+-------------+------------------------------+
Rule Priorities How Traffic Matches Firewall Rules
--------------- ----------------------------------
- Each firewall rule has a priority value where a smaller value corresponds to a higher priority. Any time two rules conflict, the rule with the higher priority is the one that gets applied. The rule whose priority value is an asterisk (*) has the lowest priority. - Each firewall rule has a priority value where a smaller value corresponds to a higher priority. Any time two rules conflict, the rule with the higher priority is the one that gets applied. The rule whose priority value is an asterisk (*) has the lowest priority.
- If multiple firewall rules conflict, only the rule with the highest priority takes effect. If you need a rule to take effect before or after a specific rule, you can insert that rule before or after the specific rule. - If multiple firewall rules conflict, only the rule with the highest priority takes effect. If you need a rule to take effect before or after a specific rule, you can insert that rule before or after the specific rule.

86
umn/source/access_control/firewall/modifying_a_firewall_rule.rst
View File

@ -37,49 +37,49 @@ Procedure
.. table:: **Table 1** Parameter descriptions .. table:: **Table 1** Parameter descriptions
+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ +------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+
| Parameter | Description | Example Value | | Parameter | Description | Example Value |
+========================+=================================================================================================================================================================================================================================================================================================================================+=======================+ +========================+=======================================================================================================================================================================================================================================================================+=======================+
| Type | The firewall type. This parameter is mandatory. You can select a value from the drop-down list. Currently, only **IPv4** and **IPv6** are supported. | IPv4 | | Type | The firewall type. This parameter is mandatory. You can select a value from the drop-down list. Currently, only **IPv4** and **IPv6** are supported. | IPv4 |
+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ +------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+
| Action | The action in the firewall. This parameter is mandatory. You can select a value from the drop-down list. Currently, the value can be **Allow** or **Deny**. | Allow | | Action | The action in the firewall. This parameter is mandatory. You can select a value from the drop-down list. Currently, the value can be **Allow** or **Deny**. | Allow |
+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ +------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+
| Protocol | The protocol supported by the firewall. This parameter is mandatory. You can select a protocol from the drop-down list. | TCP | | Protocol | The protocol supported by the firewall. This parameter is mandatory. You can select a protocol from the drop-down list. | TCP |
| | | | | | | |
| | You can select **TCP**, **UDP**, **ICMP**, or **All**. | | | | You can select **TCP**, **UDP**, **ICMP**, or **All**. | |
+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ +------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+
| Source | The source from which the traffic is allowed. The source can be an IP address or IP address range. | 0.0.0.0/0 | | Source | The source from which the traffic is allowed. The source can be an IP address or IP address range. | 0.0.0.0/0 |
| | | | | | | |
| | - IP address: | | | | - IP address: | |
| | | | | | | |
| | - Single IP address: 192.168.10.10/32 | | | | - Single IP address: 192.168.10.10/32 | |
| | - All IP addresses: 0.0.0.0/0 | | | | - All IP addresses: 0.0.0.0/0 | |
| | - IP address range: 192.168.1.0/24 | | | | - IP address range: 192.168.1.0/24 | |
| | | | | | | |
| | - IP address group: The source is an IP address group. An IP address group is a collection of one or more IP addresses. You can select an available IP address group from the drop-down list. An IP address group can help you manage IP address ranges and IP addresses with same security requirements in a more simple way. | | | | - IP address group: A collection of one or more IP addresses. You can select an available IP address group from the drop-down list. An IP address group can help you manage IP address ranges and IP addresses with same security requirements in a more simple way. | |
+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ +------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+
| Source Port Range | The source port number or port number range. The value ranges from 1 to 65535. For a port number range, enter two port numbers connected by a hyphen (-). For example, **1-100**. | 22, or 22-30 | | Source Port Range | The source port number or port number range. The value ranges from 1 to 65535. For a port number range, enter two port numbers connected by a hyphen (-). For example, **1-100**. | 22, or 22-30 |
| | | | | | | |
| | You must specify this parameter if **TCP** or **UDP** is selected for **Protocol**. | | | | You must specify this parameter if **TCP** or **UDP** is selected for **Protocol**. | |
+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ +------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+
| Destination | The destination to which the traffic is allowed. The destination can be an IP address or IP address range. | 0.0.0.0/0 | | Destination | The destination to which the traffic is allowed. The destination can be an IP address or IP address range. | 0.0.0.0/0 |
| | | | | | | |
| | - IP address: | | | | - IP address: | |
| | | | | | | |
| | - Single IP address: 192.168.10.10/32 | | | | - Single IP address: 192.168.10.10/32 | |
| | - All IP addresses: 0.0.0.0/0 | | | | - All IP addresses: 0.0.0.0/0 | |
| | - IP address range: 192.168.1.0/24 | | | | - IP address range: 192.168.1.0/24 | |
| | | | | | | |
| | - IP address group: The source is an IP address group. An IP address group is a collection of one or more IP addresses. You can select an available IP address group from the drop-down list. An IP address group can help you manage IP address ranges and IP addresses with same security requirements in a more simple way. | | | | - IP address group: A collection of one or more IP addresses. You can select an available IP address group from the drop-down list. An IP address group can help you manage IP address ranges and IP addresses with same security requirements in a more simple way. | |
+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ +------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+
| Destination Port Range | The destination port number or port number range. The value ranges from 1 to 65535. For a port number range, enter two port numbers connected by a hyphen (-). For example, **1-100**. | 22, or 22-30 | | Destination Port Range | The destination port number or port number range. The value ranges from 1 to 65535. For a port number range, enter two port numbers connected by a hyphen (-). For example, **1-100**. | 22, or 22-30 |
| | | | | | | |
| | You must specify this parameter if **TCP** or **UDP** is selected for **Protocol**. | | | | You must specify this parameter if **TCP** or **UDP** is selected for **Protocol**. | |
+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ +------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+
| Description | Supplementary information about the firewall rule. This parameter is optional. | N/A | | Description | Supplementary information about the firewall rule. This parameter is optional. | N/A |
| | | | | | | |
| | The description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | | | The description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | |
+------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ +------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+
7. Click **Confirm**. 7. Click **Confirm**.

58
umn/source/access_control/security_group/adding_a_security_group_rule.rst
View File

@ -123,35 +123,35 @@ Procedure
.. table:: **Table 2** Outbound rule parameter description .. table:: **Table 2** Outbound rule parameter description
+-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+
| Parameter | Description | Example Value | | Parameter | Description | Example Value |
+=======================+====================================================================================================================================================================================================================================================================================================================================================================================================================+=======================+ +=======================+============================================================================================================================================================================================================================================================================================================================================================================================================================================+=======================+
| Protocol & Port | The network protocol used to match traffic in a security group rule. | TCP | | Protocol & Port | The network protocol used to match traffic in a security group rule. | TCP |
| | | | | | | |
| | Currently, the value can be **All**, **TCP**, **UDP**, **GRE**, **ICMP**, or more. | | | | Currently, the value can be **All**, **TCP**, **UDP**, **GRE**, **ICMP**, or more. | |
+-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+
| | **Port**: The port or port range over which traffic can leave your ECS. The value can be from 1 to 65535. | 22, or 22-30 | | | **Port**: The port or port range over which traffic can leave your ECS. The value can be from 1 to 65535. | 22, or 22-30 |
+-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+
| Type | Source IP address version. You can select: | IPv4 | | Type | Source IP address version. You can select: | IPv4 |
| | | | | | | |
| | - IPv4 | | | | - IPv4 | |
| | - IPv6 | | | | - IPv6 | |
+-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+
| Destination | Destination of the security group rule. The value can be an IP address or a security group to allow access to IP addresses or instances in the security group. For example: | 0.0.0.0/0 | | Destination | Destination of the security group rule. The value can be an IP address or a security group to allow access to IP addresses or instances in the security group. For example: | 0.0.0.0/0 |
| | | | | | | |
| | - IP address: | | | | - IP address: | |
| | | | | | | |
| | - Single IP address: 192.168.10.10/32 | | | | - Single IP address: 192.168.10.10/32 | |
| | - All IP addresses: 0.0.0.0/0 | | | | - All IP addresses: 0.0.0.0/0 | |
| | - IP address range: 192.168.1.0/24 | | | | - IP address range: 192.168.1.0/24 | |
| | | | | | | |
| | - **Security group**: The source is from another security group. You can select a security group in the same region under the current account from the drop-down list. Instance A is in security group A and instance B is in security group B. If security group A has an inbound rule with **Action** set to **Allow** and **Source** set to security group B, access from instance B is allowed to instance A. | | | | - **Security group**: The destination is from another security group. You can select a security group in the same region under the current account from the drop-down list. For example, instance A is in security group A and instance B is in security group B. If security group A has an outbound rule with **Action** set to **Allow** and **Destination** set to security group B, access from instance A is allowed to instance B. | |
| | - **IP address group**: An IP address group is a collection of one or more IP addresses. You can select an available IP address group from the drop-down list. An IP address group can help you manage IP address ranges and IP addresses with same security requirements in a more simple way. | | | | - IP address group: A collection of one or more IP addresses. You can select an available IP address group from the drop-down list. An IP address group can help you manage IP address ranges and IP addresses with same security requirements in a more simple way. | |
+-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+
| Description | Supplementary information about the security group rule. This parameter is optional. | N/A | | Description | Supplementary information about the security group rule. This parameter is optional. | N/A |
| | | | | | | |
| | The security group rule description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | | | The security group rule description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | |
+-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+
#. Click **OK**. #. Click **OK**.

19
umn/source/access_control/security_group/security_groups_and_security_group_rules.rst
View File

@ -12,13 +12,24 @@ A security group is a collection of access control rules for cloud resources, su
If you have not created any security groups yet, the system automatically creates a default security group for you and associates it with the instance (such as an ECS) when you create it. For details about the default security group, see :ref:`Default Security Group and Its Rules <securitygroup_0003>`. If you have not created any security groups yet, the system automatically creates a default security group for you and associates it with the instance (such as an ECS) when you create it. For details about the default security group, see :ref:`Default Security Group and Its Rules <securitygroup_0003>`.
Security groups are stateful. If you send a request from your instance and the outbound traffic is allowed, the response traffic for that request is allowed to flow in regardless of inbound security group rules. Similarly, if inbound traffic is allowed, responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules. Security Group Basics
---------------------
Security groups use connection tracking to track traffic to and from instances that they contain and security group rules are applied based on the connection status of the traffic to determine whether to allow or deny traffic. - Security groups are stateful. If you send a request from your instance and the outbound traffic is allowed, the response traffic for that request is allowed to flow in regardless of inbound security group rules. Similarly, if inbound traffic is allowed, responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules.
- If you add, modify, or delete a security group rule, or add or remove an instance to or from a security group, the inbound connection tracking of all instances in the security group will be automatically cleared. The inbound or outbound traffic of the instance will be considered as new connections, which need to match the inbound or outbound security group rules to ensure that the rules take effect immediately and the security of incoming traffic. - Security groups use connection tracking to track traffic to and from instances. If the inbound rule of a security group is modified, the new rule immediately takes effect for the existing traffic. Changes to outbound security group rules do not affect existing persistent connections and take effect only for new connections.
- If there is no inbound or outbound traffic of an instance for a long time, the traffic will be considered as new connections after the connection tracking times out, and the connections need to match the outbound and inbound rules. The timeout period of connection tracking varies according to the protocol. The timeout period of a TCP connection in the established state is 600s, and the timeout period of an ICMP connection is 30s. For other protocols, if packets are received in both inbound and outbound directions, the connection tracking timeout period is 180s. If packets are received only in one direction, the connection tracking timeout period is 30s. For protocols other than TCP, UDP, and ICMP, only the IP address and protocol number are tracked. If you add, modify, or delete a security group rule, or add or remove an instance to or from a security group, the inbound connection of all instances in the security group will be automatically cleared.
- The existing inbound persistent connections are disconnected. All the new connections matches against the new rules.
- The existing outbound persistent connections will not be disconnected. All the new connections matches against the new rules.
.. important::
After a persistent connection is disconnected, new connection will not be established immediately until the timeout period of connection tracking expires. For example, after an ICMP persistent connection is disconnected, a new connection will be established and a new rule will apply when the timeout period expires(30s).
- The timeout period of connection tracking varies by protocol. The timeout period of a TCP connection in the established state is 600s, and that of an ICMP connection is 30s. For other protocols, if packets are received in both inbound and outbound directions, the connection tracking timeout period is 180s. If packets are received only in one direction, the connection tracking timeout period is 30s.
- The timeout period of TCP connections varies by connection status. The timeout period of a TCP connection in the established state is 600s, and that of a TCP connection in the FIN-WAIT state is 30s.
Security Group Rules Security Group Rules
-------------------- --------------------

9
umn/source/change_history.rst
View File

@ -8,11 +8,14 @@ Change History
+-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Released On | Description | | Released On | Description |
+===================================+====================================================================================================================================================================================================================================================================================================================================+ +===================================+====================================================================================================================================================================================================================================================================================================================================+
| 2024-01-02 | This release incorporates the following changes: |
| | |
| | Modified the parameter descriptions in sections :ref:`Adding a Security Group Rule <en-us_topic_0030969470>` and :ref:`Adding a Firewall Rule <en-us_topic_0051746702>`. |
+-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| 2023-12-19 | This release incorporates the following changes: | | 2023-12-19 | This release incorporates the following changes: |
| | | | | |
| | Added screenshots in :ref:`How Do I Configure a Security Group for Multi-Channel Protocols? <vpc_faq_0059>`. | | | - Added screenshots in :ref:`How Do I Configure a Security Group for Multi-Channel Protocols? <vpc_faq_0059>`. |
| | | | | - Modified the table in :ref:`Why Can't I Delete My VPCs and Subnets? <vpc_faq_0075>`. |
| | Modified the table in :ref:`Why Can't I Delete My VPCs and Subnets? <vpc_faq_0075>`. |
+-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| 2023-12-18 | This release incorporates the following changes: | | 2023-12-18 | This release incorporates the following changes: |
| | | | | |

19
umn/source/faq/security/does_a_security_group_rule_or_a_firewall_rule_immediately_take_effect_for_existing_connections_after_it_is_modified.rst
View File

@ -5,5 +5,20 @@
Does a Security Group Rule or a Firewall Rule Immediately Take Effect for Existing Connections After It Is Modified? Does a Security Group Rule or a Firewall Rule Immediately Take Effect for Existing Connections After It Is Modified?
==================================================================================================================== ====================================================================================================================
- Security groups are stateful. Responses to outbound traffic are allowed to go in to the instance regardless of inbound security group rules, and vice versa. Security groups use connection tracking to track traffic to and from instances. If a security group rule is added, deleted, or modified, or an instance in the security group is created or deleted, the connection tracking for all instances in the security group will be automatically cleared. In this case, the inbound or outbound traffic of the instance will be considered to be new connections, which need to match the inbound or outbound security group rules to ensure that the rules take effect immediately and ensure the security of incoming traffic. - Security groups use connection tracking to track traffic to and from instances. If the inbound rule of a security group is modified, the new rule immediately takes effect for the existing traffic. Changes to outbound security group rules do not affect existing persistent connections and take effect only for new connections.
- A modified firewall rule will not immediately take effect for its existing connections. It takes about 120 seconds for the new rule to take effect, and traffic will be interrupted during this period. To ensure that the traffic is immediately interrupted after the rule is changed, it is recommended that you configure security group rules.
If you add, modify, or delete a security group rule, or add or remove an instance to or from a security group, the inbound connection of all instances in the security group will be automatically cleared.
- The existing inbound persistent connections are disconnected. All the new connections matches against the new rules.
- The existing outbound persistent connections will not be disconnected. All the new connections matches against the new rules.
- Firewalls use connection tracking to track traffic to and from instances. Changes to inbound and outbound rules do not take effect immediately for the existing traffic.
If you add, modify, or delete a firewall rule, or add or remove a subnet to or from a firewall, all the inbound and outbound persistent connections will not be disconnected New rules only apply to the new connections.
.. important::
After a persistent connection is disconnected, new connection will not be established immediately until the timeout period of connection tracking expires. For example, after an ICMP persistent connection is disconnected, a new connection will be established and a new rule will apply when the timeout period expires(30s).
- The timeout period of connection tracking varies by protocol. The timeout period of a TCP connection in the established state is 600s, and that of an ICMP connection is 30s. For other protocols, if packets are received in both inbound and outbound directions, the connection tracking timeout period is 180s. If packets are received only in one direction, the connection tracking timeout period is 30s.
- The timeout period of TCP connections varies by connection status. The timeout period of a TCP connection in the established state is 600s, and that of a TCP connection in the FIN-WAIT state is 30s.

4
umn/source/faq/security/index.rst
View File

@ -9,7 +9,7 @@ Security
- :ref:`Can I Change the Security Group of an ECS? <vpc_faq_0039>` - :ref:`Can I Change the Security Group of an ECS? <vpc_faq_0039>`
- :ref:`How Do I Configure a Security Group for Multi-Channel Protocols? <vpc_faq_0059>` - :ref:`How Do I Configure a Security Group for Multi-Channel Protocols? <vpc_faq_0059>`
- :ref:`Does a Security Group Rule or a Firewall Rule Immediately Take Effect for Existing Connections After It Is Modified? <vpc_faq_0074>` - :ref:`Does a Security Group Rule or a Firewall Rule Immediately Take Effect for Existing Connections After It Is Modified? <vpc_faq_0074>`
- :ref:`Which Security Group Rule Has Priority When Multiple Security Group Rules Conflict? <vpc_faq_0077>` - :ref:`Which Security Group Rule Has a High Priority When Multiple Security Group Rules Conflict? <vpc_faq_0077>`
.. toctree:: .. toctree::
:maxdepth: 1 :maxdepth: 1
@ -19,4 +19,4 @@ Security
can_i_change_the_security_group_of_an_ecs can_i_change_the_security_group_of_an_ecs
how_do_i_configure_a_security_group_for_multi-channel_protocols how_do_i_configure_a_security_group_for_multi-channel_protocols
does_a_security_group_rule_or_a_firewall_rule_immediately_take_effect_for_existing_connections_after_it_is_modified does_a_security_group_rule_or_a_firewall_rule_immediately_take_effect_for_existing_connections_after_it_is_modified
which_security_group_rule_has_priority_when_multiple_security_group_rules_conflict which_security_group_rule_has_a_high_priority_when_multiple_security_group_rules_conflict

4
umn/source/faq/security/which_security_group_rule_has_priority_when_multiple_security_group_rules_conflict.rst → umn/source/faq/security/which_security_group_rule_has_a_high_priority_when_multiple_security_group_rules_conflict.rst
View File

@ -2,7 +2,7 @@
.. _vpc_faq_0077: .. _vpc_faq_0077:
Which Security Group Rule Has Priority When Multiple Security Group Rules Conflict? Which Security Group Rule Has a High Priority When Multiple Security Group Rules Conflict?
=================================================================================== ==========================================================================================
Security group rules use the whitelist mechanism. If multiple security group rules conflict, the rules are aggregated to take effect. Security group rules use the whitelist mechanism. If multiple security group rules conflict, the rules are aggregated to take effect.

58
umn/source/getting_started/configuring_a_vpc_for_ecss_that_access_the_internet_using_eips/step_5_add_a_security_group_rule.rst
View File

@ -117,35 +117,35 @@ Procedure
.. table:: **Table 2** Outbound rule parameter description .. table:: **Table 2** Outbound rule parameter description
+-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+
| Parameter | Description | Example Value | | Parameter | Description | Example Value |
+=======================+====================================================================================================================================================================================================================================================================================================================================================================================================================+=======================+ +=======================+============================================================================================================================================================================================================================================================================================================================================================================================================================================+=======================+
| Protocol & Port | The network protocol used to match traffic in a security group rule. | TCP | | Protocol & Port | The network protocol used to match traffic in a security group rule. | TCP |
| | | | | | | |
| | Currently, the value can be **All**, **TCP**, **UDP**, **GRE**, **ICMP**, or more. | | | | Currently, the value can be **All**, **TCP**, **UDP**, **GRE**, **ICMP**, or more. | |
+-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+
| | **Port**: The port or port range over which traffic can leave your ECS. The value can be from 1 to 65535. | 22, or 22-30 | | | **Port**: The port or port range over which traffic can leave your ECS. The value can be from 1 to 65535. | 22, or 22-30 |
+-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+
| Type | Source IP address version. You can select: | IPv4 | | Type | Source IP address version. You can select: | IPv4 |
| | | | | | | |
| | - IPv4 | | | | - IPv4 | |
| | - IPv6 | | | | - IPv6 | |
+-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+
| Destination | Destination of the security group rule. The value can be an IP address or a security group to allow access to IP addresses or instances in the security group. For example: | 0.0.0.0/0 | | Destination | Destination of the security group rule. The value can be an IP address or a security group to allow access to IP addresses or instances in the security group. For example: | 0.0.0.0/0 |
| | | | | | | |
| | - IP address: | | | | - IP address: | |
| | | | | | | |
| | - Single IP address: 192.168.10.10/32 | | | | - Single IP address: 192.168.10.10/32 | |
| | - All IP addresses: 0.0.0.0/0 | | | | - All IP addresses: 0.0.0.0/0 | |
| | - IP address range: 192.168.1.0/24 | | | | - IP address range: 192.168.1.0/24 | |
| | | | | | | |
| | - **Security group**: The source is from another security group. You can select a security group in the same region under the current account from the drop-down list. Instance A is in security group A and instance B is in security group B. If security group A has an inbound rule with **Action** set to **Allow** and **Source** set to security group B, access from instance B is allowed to instance A. | | | | - **Security group**: The destination is from another security group. You can select a security group in the same region under the current account from the drop-down list. For example, instance A is in security group A and instance B is in security group B. If security group A has an outbound rule with **Action** set to **Allow** and **Destination** set to security group B, access from instance A is allowed to instance B. | |
| | - **IP address group**: An IP address group is a collection of one or more IP addresses. You can select an available IP address group from the drop-down list. An IP address group can help you manage IP address ranges and IP addresses with same security requirements in a more simple way. | | | | - IP address group: A collection of one or more IP addresses. You can select an available IP address group from the drop-down list. An IP address group can help you manage IP address ranges and IP addresses with same security requirements in a more simple way. | |
+-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+
| Description | Supplementary information about the security group rule. This parameter is optional. | N/A | | Description | Supplementary information about the security group rule. This parameter is optional. | N/A |
| | | | | | | |
| | The security group rule description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | | | The security group rule description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | |
+-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+
#. Click **OK**. #. Click **OK**.

58
umn/source/getting_started/configuring_a_vpc_for_ecss_that_do_not_require_internet_access/step_4_add_a_security_group_rule.rst
View File

@ -117,35 +117,35 @@ Procedure
.. table:: **Table 2** Outbound rule parameter description .. table:: **Table 2** Outbound rule parameter description
+-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+
| Parameter | Description | Example Value | | Parameter | Description | Example Value |
+=======================+====================================================================================================================================================================================================================================================================================================================================================================================================================+=======================+ +=======================+============================================================================================================================================================================================================================================================================================================================================================================================================================================+=======================+
| Protocol & Port | The network protocol used to match traffic in a security group rule. | TCP | | Protocol & Port | The network protocol used to match traffic in a security group rule. | TCP |
| | | | | | | |
| | Currently, the value can be **All**, **TCP**, **UDP**, **GRE**, **ICMP**, or more. | | | | Currently, the value can be **All**, **TCP**, **UDP**, **GRE**, **ICMP**, or more. | |
+-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+
| | **Port**: The port or port range over which traffic can leave your ECS. The value can be from 1 to 65535. | 22, or 22-30 | | | **Port**: The port or port range over which traffic can leave your ECS. The value can be from 1 to 65535. | 22, or 22-30 |
+-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+
| Type | Source IP address version. You can select: | IPv4 | | Type | Source IP address version. You can select: | IPv4 |
| | | | | | | |
| | - IPv4 | | | | - IPv4 | |
| | - IPv6 | | | | - IPv6 | |
+-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+
| Destination | Destination of the security group rule. The value can be an IP address or a security group to allow access to IP addresses or instances in the security group. For example: | 0.0.0.0/0 | | Destination | Destination of the security group rule. The value can be an IP address or a security group to allow access to IP addresses or instances in the security group. For example: | 0.0.0.0/0 |
| | | | | | | |
| | - IP address: | | | | - IP address: | |
| | | | | | | |
| | - Single IP address: 192.168.10.10/32 | | | | - Single IP address: 192.168.10.10/32 | |
| | - All IP addresses: 0.0.0.0/0 | | | | - All IP addresses: 0.0.0.0/0 | |
| | - IP address range: 192.168.1.0/24 | | | | - IP address range: 192.168.1.0/24 | |
| | | | | | | |
| | - **Security group**: The source is from another security group. You can select a security group in the same region under the current account from the drop-down list. Instance A is in security group A and instance B is in security group B. If security group A has an inbound rule with **Action** set to **Allow** and **Source** set to security group B, access from instance B is allowed to instance A. | | | | - **Security group**: The destination is from another security group. You can select a security group in the same region under the current account from the drop-down list. For example, instance A is in security group A and instance B is in security group B. If security group A has an outbound rule with **Action** set to **Allow** and **Destination** set to security group B, access from instance A is allowed to instance B. | |
| | - **IP address group**: An IP address group is a collection of one or more IP addresses. You can select an available IP address group from the drop-down list. An IP address group can help you manage IP address ranges and IP addresses with same security requirements in a more simple way. | | | | - IP address group: A collection of one or more IP addresses. You can select an available IP address group from the drop-down list. An IP address group can help you manage IP address ranges and IP addresses with same security requirements in a more simple way. | |
+-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+
| Description | Supplementary information about the security group rule. This parameter is optional. | N/A | | Description | Supplementary information about the security group rule. This parameter is optional. | N/A |
| | | | | | | |
| | The security group rule description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | | | | The security group rule description can contain a maximum of 255 characters and cannot contain angle brackets (< or >). | |
+-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+
#. Click **OK**. #. Click **OK**.

3
umn/source/route_tables/route_tables_and_routes.rst
View File

@ -66,8 +66,7 @@ You can add routes to default and custom route tables and configure the destinat
| Extension NIC | Traffic intended for the destination is forwarded to the extension NIC of an ECS in the VPC. | - Default route table | | Extension NIC | Traffic intended for the destination is forwarded to the extension NIC of an ECS in the VPC. | - Default route table |
| | | - Custom route table | | | | - Custom route table |
+--------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+ +--------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+
| BMS user-defined network | Traffic intended for the destination is forwarded to a BMS user-defined network. Currently, this parameter is available only in eu-de. | - Default route table | | BMS user-defined network | Traffic intended for the destination is forwarded to a BMS user-defined network. Currently, this parameter is available only in eu-de. | - Custom route table |
| | | - Custom route table |
+--------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+ +--------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+
| VPN connection | Traffic intended for the destination is forwarded to a VPN gateway. | Custom route table | | VPN connection | Traffic intended for the destination is forwarded to a VPN gateway. | Custom route table |
+--------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+ +--------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+

3
umn/source/service_overview/basic_concepts/route_table.rst
View File

@ -66,8 +66,7 @@ You can add routes to default and custom route tables and configure the destinat
| Extension NIC | Traffic intended for the destination is forwarded to the extension NIC of an ECS in the VPC. | - Default route table | | Extension NIC | Traffic intended for the destination is forwarded to the extension NIC of an ECS in the VPC. | - Default route table |
| | | - Custom route table | | | | - Custom route table |
+--------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+ +--------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+
| BMS user-defined network | Traffic intended for the destination is forwarded to a BMS user-defined network. Currently, this parameter is available only in eu-de. | - Default route table | | BMS user-defined network | Traffic intended for the destination is forwarded to a BMS user-defined network. Currently, this parameter is available only in eu-de. | - Custom route table |
| | | - Custom route table |
+--------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+ +--------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+
| VPN connection | Traffic intended for the destination is forwarded to a VPN gateway. | Custom route table | | VPN connection | Traffic intended for the destination is forwarded to a VPN gateway. | Custom route table |
+--------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+ +--------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+

2
umn/source/service_overview/basic_concepts/subnet.rst
View File

@ -7,7 +7,7 @@ Subnet
A subnet is a unique CIDR block with a range of IP addresses in a VPC. All resources in a VPC must be deployed on subnets. A subnet is a unique CIDR block with a range of IP addresses in a VPC. All resources in a VPC must be deployed on subnets.
- By default, all instances in different subnets of the same VPC can communicate with each other and the subnets can be located in different AZs. For example, VPC-A has subnet A01 in AZ A and subnet A02 in AZ B. Subnet A01 and subnet B01 can communicate with each other by default. - By default, all instances in different subnets of the same VPC can communicate with each other and the subnets can be located in different AZs. If you have a VPC with two subnets in it and they are located in different AZs, they can communicate with each other by default.
- After a subnet is created, its CIDR block cannot be modified. Subnets in the same VPC cannot overlap. - After a subnet is created, its CIDR block cannot be modified. Subnets in the same VPC cannot overlap.

188
umn/source/service_overview/permissions.rst
View File

File diff suppressed because it is too large Load Diff

4
umn/source/vpc_and_subnet/ipv4_and_ipv6_dual-stack_network.rst
View File

@ -58,7 +58,9 @@ Basic Operations
**Creating an IPv6 Subnet** **Creating an IPv6 Subnet**
Create an IPv6 subnet by following the instructions in :ref:`Creating a Subnet for the VPC <en-us_topic_0013748726>`. Select **Enable** for **IPv6 CIDR Block**. An IPv6 CIDR block will be automatically assigned to the subnet. IPv6 cannot be disabled after the subnet is created. Currently, customizing IPv6 CIDR block is not supported. Create an IPv6 subnet by following the instructions in :ref:`Creating a Subnet for the VPC <en-us_topic_0013748726>`. Select **Enable** for **IPv6 CIDR Block**. An IPv6 CIDR block will be automatically assigned to the subnet. IPv6 cannot be disabled after the subnet is created.
To disable this function, call the API by referring to `Updating Subnet Information <https://docs.otc.t-systems.com/virtual-private-cloud/api-ref/apis/subnet/updating_subnet_information.html#vpc-subnet01-0004>`__.
**Viewing In-Use IPv6 Addresses** **Viewing In-Use IPv6 Addresses**