diff --git a/umn/source/_static/images/en-us_image_0000001197228903.png b/umn/source/_static/images/en-us_image_0000001197228903.png index 6ef66ec..a587644 100644 Binary files a/umn/source/_static/images/en-us_image_0000001197228903.png and b/umn/source/_static/images/en-us_image_0000001197228903.png differ diff --git a/umn/source/access_control/differences_between_security_groups_and_firewalls.rst b/umn/source/access_control/differences_between_security_groups_and_firewalls.rst index c3b3790..0c81d64 100644 --- a/umn/source/access_control/differences_between_security_groups_and_firewalls.rst +++ b/umn/source/access_control/differences_between_security_groups_and_firewalls.rst @@ -5,10 +5,10 @@ Differences Between Security Groups and Firewalls ================================================= -You can configure firewall and security group rules to protect the instances in your VPC, such as ECSs, databases, and CCI. +You can configure firewall and security group rules to protect the instances in your VPC, such as ECSs, databases, and CCI pods. - A security group protects the instances in it. -- Firewalls protect associated subnets and all the resources in the subnets. +- A Firewall protects associated subnets and all the resources in the subnets. For details, see :ref:`Figure 1 `. @@ -25,20 +25,20 @@ For details, see :ref:`Figure 1 `. .. table:: **Table 1** Differences between security groups firewalls - +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Category | Security Group | Firewall | - +=======================+=================================================================================================================================================================================+===========================================================================================================================================================================================================================================================+ - | Protection Scope | Protects instances in a security group, such as ECSs, databases, and CCI. | Protects subnets and all the instances in the subnets. | - +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Rules | Does not support **Allow** or **Deny** rules. | Supports both **Allow** and **Deny** rules. | - +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Priority | If there are conflicting rules, they are combined and applied together. | If rules conflict, the rule with the highest priority takes effect. | - +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Usage | - When creating an instance, such as an ECS, you must select a security group. If you do not have a security group, the system automatically creates a default security group. | Selecting a firewall is not allowed when you create a subnet. You must create a firewall, add inbound and outbound rules, associate subnets with it, and enable firewall. The firewall then protects the associated subnets and instances in the subnets. | - | | - After creating an instance, you can: | | - | | | | - | | - Add or remove instances on the security group console. | | - | | - Add or remove a security group for an instance on the instance console. | | - +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Packets | Only packet filtering based on the 3-tuple (protocol, port, and peer IP address) is supported. | Only packet filtering based on the 5-tuple (protocol, source port, destination port, source IP address, and destination IP address) is supported. | - +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +-----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Category | Security Group | Firewall | + +=======================+========================================================================================================================================================================+===========================================================================================================================================================================================================================================================+ + | Protection Scope | Protects instances in a security group, such as ECSs, databases, and CCI. | Protects subnets and all the instances in the subnets. | + +-----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Rules | Does not support **Allow** or **Deny** rules. | Supports both **Allow** and **Deny** rules. | + +-----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Matching Order | If there are conflicting rules, they are combined and applied together. | If rules conflict, the rule with the highest priority takes effect. | + +-----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Usage | - When creating an instance, such as an ECS, you must select a security group. If you do not have a security group, a default security group will be created for you. | Selecting a firewall is not allowed when you create a subnet. You must create a firewall, add inbound and outbound rules, associate subnets with it, and enable firewall. The firewall then protects the associated subnets and instances in the subnets. | + | | - After creating an instance, you can: | | + | | | | + | | - Add or remove the instance to or from the security group on the security group console. | | + | | - Associate or disassociate a security group with or from the instance on the instance console. | | + +-----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Packets | Packet filtering based on the 3-tuple (protocol, port, and source/destination) is supported. | Packet filtering based on the 5-tuple (protocol, source port, destination port, and source/destination) is supported. | + +-----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ diff --git a/umn/source/access_control/firewall/firewall_configuration_examples.rst b/umn/source/access_control/firewall/firewall_configuration_example.rst similarity index 99% rename from umn/source/access_control/firewall/firewall_configuration_examples.rst rename to umn/source/access_control/firewall/firewall_configuration_example.rst index 4f6d744..beb86b7 100644 --- a/umn/source/access_control/firewall/firewall_configuration_examples.rst +++ b/umn/source/access_control/firewall/firewall_configuration_example.rst @@ -2,8 +2,8 @@ .. _acl_0002: -Firewall Configuration Examples -=============================== +Firewall Configuration Example +============================== This section provides examples for configuring firewalls. diff --git a/umn/source/access_control/firewall/firewall_overview.rst b/umn/source/access_control/firewall/firewall_overview.rst index 6bd67c6..53fb1b1 100644 --- a/umn/source/access_control/firewall/firewall_overview.rst +++ b/umn/source/access_control/firewall/firewall_overview.rst @@ -31,11 +31,11 @@ Firewall Basics - Firewalls use connection tracking to track traffic to and from instances. Changes to inbound and outbound rules do not take effect immediately for the existing traffic. - If you add, modify, or delete a firewall rule, or add or remove a subnet to or from a firewall, all the inbound and outbound persistent connections will not be disconnected New rules only apply to the new connections. + If you add, modify, or delete a firewall rule, or associate or diassociate a subnet with or from a firewall, all the inbound and outbound persistent connections will not be disconnected New rules will only be applied for the new connections. .. important:: - After a persistent connection is disconnected, new connection will not be established immediately until the timeout period of connection tracking expires. For example, after an ICMP persistent connection is disconnected, a new connection will be established and a new rule will apply when the timeout period expires(30s). + After a persistent connection is disconnected, new connections will not be established immediately until the timeout period of connection tracking expires. For example, after an ICMP persistent connection is disconnected, a new connection will be established and a new rule will apply when the timeout period (30s) expires. - The timeout period of connection tracking varies by protocol. The timeout period of a TCP connection in the established state is 600s, and that of an ICMP connection is 30s. For other protocols, if packets are received in both inbound and outbound directions, the connection tracking timeout period is 180s. If packets are received only in one direction, the connection tracking timeout period is 30s. - The timeout period of TCP connections varies by connection status. The timeout period of a TCP connection in the established state is 600s, and that of a TCP connection in the FIN-WAIT state is 30s. diff --git a/umn/source/access_control/firewall/index.rst b/umn/source/access_control/firewall/index.rst index 2f4cc01..b8a8143 100644 --- a/umn/source/access_control/firewall/index.rst +++ b/umn/source/access_control/firewall/index.rst @@ -6,7 +6,7 @@ Firewall ======== - :ref:`Firewall Overview ` -- :ref:`Firewall Configuration Examples ` +- :ref:`Firewall Configuration Example ` - :ref:`Creating a Firewall ` - :ref:`Adding a Firewall Rule ` - :ref:`Associating Subnets with a Firewall ` @@ -25,7 +25,7 @@ Firewall :hidden: firewall_overview - firewall_configuration_examples + firewall_configuration_example creating_a_firewall adding_a_firewall_rule associating_subnets_with_a_firewall diff --git a/umn/source/access_control/security_group/security_groups_and_security_group_rules.rst b/umn/source/access_control/security_group/security_groups_and_security_group_rules.rst index 3998611..9d23011 100644 --- a/umn/source/access_control/security_group/security_groups_and_security_group_rules.rst +++ b/umn/source/access_control/security_group/security_groups_and_security_group_rules.rst @@ -17,16 +17,16 @@ Security Group Basics - Security groups are stateful. If you send a request from your instance and the outbound traffic is allowed, the response traffic for that request is allowed to flow in regardless of inbound security group rules. Similarly, if inbound traffic is allowed, responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules. -- Security groups use connection tracking to track traffic to and from instances. If the inbound rule of a security group is modified, the new rule immediately takes effect for the existing traffic. Changes to outbound security group rules do not affect existing persistent connections and take effect only for new connections. +- Security groups use connection tracking to track traffic to and from instances. If an inbound rule is modified, the modified rule immediately takes effect for the existing traffic. Changes to outbound security group rules do not affect existing persistent connections and take effect only for new connections. - If you add, modify, or delete a security group rule, or add or remove an instance to or from a security group, the inbound connection of all instances in the security group will be automatically cleared. + If you add, modify, or delete a security group rule, or add or remove an instance to or from a security group, the inbound connections of all instances in the security group will be automatically cleared. - - The existing inbound persistent connections are disconnected. All the new connections matches against the new rules. - - The existing outbound persistent connections will not be disconnected. All the new connections matches against the new rules. + - The existing inbound persistent connections will be disconnected. All the new connections will match the new rules. + - The existing outbound persistent connections will not be disconnected, and the original rule will still be applied. All the new connections will match the new rules. .. important:: - After a persistent connection is disconnected, new connection will not be established immediately until the timeout period of connection tracking expires. For example, after an ICMP persistent connection is disconnected, a new connection will be established and a new rule will apply when the timeout period expires(30s). + After a persistent connection is disconnected, new connections will not be established immediately until the timeout period of connection tracking expires. For example, after an ICMP persistent connection is disconnected, a new connection will be established and a new rule will apply when the timeout period (30s) expires. - The timeout period of connection tracking varies by protocol. The timeout period of a TCP connection in the established state is 600s, and that of an ICMP connection is 30s. For other protocols, if packets are received in both inbound and outbound directions, the connection tracking timeout period is 180s. If packets are received only in one direction, the connection tracking timeout period is 30s. - The timeout period of TCP connections varies by connection status. The timeout period of a TCP connection in the established state is 600s, and that of a TCP connection in the FIN-WAIT state is 30s. diff --git a/umn/source/change_history.rst b/umn/source/change_history.rst index b48bd6b..35c0cd7 100644 --- a/umn/source/change_history.rst +++ b/umn/source/change_history.rst @@ -8,6 +8,10 @@ Change History +-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Released On | Description | +===================================+====================================================================================================================================================================================================================================================================================================================================+ +| 2024-01-16 | This release incorporates the following changes: | +| | | +| | Modified the figure for creating a subnet in :ref:`Creating a Subnet for the VPC `, :ref:`Step 2: Create a Subnet for the VPC `, and :ref:`Step 2: Create a Subnet for the VPC `. | ++-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | 2024-01-02 | This release incorporates the following changes: | | | | | | Modified the parameter descriptions in sections :ref:`Adding a Security Group Rule ` and :ref:`Adding a Firewall Rule `. | @@ -207,8 +211,8 @@ Change History | | | | | Modified the following content: | | | | -| | - Added rules in :ref:`Firewall Configuration Examples `. | -| | - Modified :ref:`Does a Security Group Rule or a Firewall Rule Immediately Take Effect for Existing Connections After It Is Modified? ` | +| | - Added rules in :ref:`Firewall Configuration Example `. | +| | - Modified :ref:`Does a Modified Security Group Rule or a Firewall Rule Take Effect Immediately for Existing Connections? ` | | | - Modified :ref:`Why Can't I Delete My VPCs and Subnets? ` | +-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | 2020-02-25 | Added the following content: | @@ -235,7 +239,7 @@ Change History | | | | | - Updated screenshots in :ref:`Adding a Security Group Rule ` and :ref:`Fast-Adding Security Group Rules `. | | | - Optimized figure examples in this document. | -| | - Optimized descriptions in :ref:`Firewall Configuration Examples `. | +| | - Optimized descriptions in :ref:`Firewall Configuration Example `. | | | - Optimized descriptions in :ref:`Firewall Overview `. | | | - Changed the position of :ref:`Access Control `. | | | - Optimized :ref:`What Is a Quota? ` | @@ -268,7 +272,7 @@ Change History | | - Optimized description about the scenario in :ref:`Creating an Alarm Rule `. | | | - Updated screenshots in :ref:`Adding a Security Group Rule ` and :ref:`Fast-Adding Security Group Rules `. | | | - Optimized figure examples in this document. | -| | - Optimized descriptions in :ref:`Firewall Configuration Examples `. | +| | - Optimized descriptions in :ref:`Firewall Configuration Example `. | | | - Optimized descriptions in :ref:`Firewall Overview `. | | | - Changed the position of :ref:`Access Control `. | | | | diff --git a/umn/source/faq/security/does_a_security_group_rule_or_a_firewall_rule_immediately_take_effect_for_existing_connections_after_it_is_modified.rst b/umn/source/faq/security/does_a_modified_security_group_rule_or_a_firewall_rule_take_effect_immediately_for_existing_connections.rst similarity index 50% rename from umn/source/faq/security/does_a_security_group_rule_or_a_firewall_rule_immediately_take_effect_for_existing_connections_after_it_is_modified.rst rename to umn/source/faq/security/does_a_modified_security_group_rule_or_a_firewall_rule_take_effect_immediately_for_existing_connections.rst index f712623..bbc1a33 100644 --- a/umn/source/faq/security/does_a_security_group_rule_or_a_firewall_rule_immediately_take_effect_for_existing_connections_after_it_is_modified.rst +++ b/umn/source/faq/security/does_a_modified_security_group_rule_or_a_firewall_rule_take_effect_immediately_for_existing_connections.rst @@ -2,23 +2,23 @@ .. _vpc_faq_0074: -Does a Security Group Rule or a Firewall Rule Immediately Take Effect for Existing Connections After It Is Modified? -==================================================================================================================== +Does a Modified Security Group Rule or a Firewall Rule Take Effect Immediately for Existing Connections? +======================================================================================================== -- Security groups use connection tracking to track traffic to and from instances. If the inbound rule of a security group is modified, the new rule immediately takes effect for the existing traffic. Changes to outbound security group rules do not affect existing persistent connections and take effect only for new connections. +- Security groups use connection tracking to track traffic to and from instances. If an inbound rule is modified, the modified rule immediately takes effect for the existing traffic. Changes to outbound security group rules do not affect existing persistent connections and take effect only for new connections. - If you add, modify, or delete a security group rule, or add or remove an instance to or from a security group, the inbound connection of all instances in the security group will be automatically cleared. + If you add, modify, or delete a security group rule, or add or remove an instance to or from a security group, the inbound connections of all instances in the security group will be automatically cleared. - - The existing inbound persistent connections are disconnected. All the new connections matches against the new rules. - - The existing outbound persistent connections will not be disconnected. All the new connections matches against the new rules. + - The existing inbound persistent connections will be disconnected. All the new connections will match the new rules. + - The existing outbound persistent connections will not be disconnected, and the original rule will still be applied. All the new connections will match the new rules. - Firewalls use connection tracking to track traffic to and from instances. Changes to inbound and outbound rules do not take effect immediately for the existing traffic. - If you add, modify, or delete a firewall rule, or add or remove a subnet to or from a firewall, all the inbound and outbound persistent connections will not be disconnected New rules only apply to the new connections. + If you add, modify, or delete a firewall rule, or associate or diassociate a subnet with or from a firewall, all the inbound and outbound persistent connections will not be disconnected New rules will only be applied for the new connections. .. important:: - After a persistent connection is disconnected, new connection will not be established immediately until the timeout period of connection tracking expires. For example, after an ICMP persistent connection is disconnected, a new connection will be established and a new rule will apply when the timeout period expires(30s). + After a persistent connection is disconnected, new connections will not be established immediately until the timeout period of connection tracking expires. For example, after an ICMP persistent connection is disconnected, a new connection will be established and a new rule will apply when the timeout period (30s) expires. - The timeout period of connection tracking varies by protocol. The timeout period of a TCP connection in the established state is 600s, and that of an ICMP connection is 30s. For other protocols, if packets are received in both inbound and outbound directions, the connection tracking timeout period is 180s. If packets are received only in one direction, the connection tracking timeout period is 30s. - The timeout period of TCP connections varies by connection status. The timeout period of a TCP connection in the established state is 600s, and that of a TCP connection in the FIN-WAIT state is 30s. diff --git a/umn/source/faq/security/index.rst b/umn/source/faq/security/index.rst index 8db4944..cbe924f 100644 --- a/umn/source/faq/security/index.rst +++ b/umn/source/faq/security/index.rst @@ -8,7 +8,7 @@ Security - :ref:`Why Can't I Delete a Security Group? ` - :ref:`Can I Change the Security Group of an ECS? ` - :ref:`How Do I Configure a Security Group for Multi-Channel Protocols? ` -- :ref:`Does a Security Group Rule or a Firewall Rule Immediately Take Effect for Existing Connections After It Is Modified? ` +- :ref:`Does a Modified Security Group Rule or a Firewall Rule Take Effect Immediately for Existing Connections? ` - :ref:`Which Security Group Rule Has a High Priority When Multiple Security Group Rules Conflict? ` .. toctree:: @@ -18,5 +18,5 @@ Security why_cant_i_delete_a_security_group can_i_change_the_security_group_of_an_ecs how_do_i_configure_a_security_group_for_multi-channel_protocols - does_a_security_group_rule_or_a_firewall_rule_immediately_take_effect_for_existing_connections_after_it_is_modified + does_a_modified_security_group_rule_or_a_firewall_rule_take_effect_immediately_for_existing_connections which_security_group_rule_has_a_high_priority_when_multiple_security_group_rules_conflict