forked from docs/virtual-private-cloud
Update content
This commit is contained in:
parent
db544abd79
commit
ee250d35b8
Binary file not shown.
|
Before Width: | Height: | Size: 28 KiB After Width: | Height: | Size: 22 KiB |
@ -5,10 +5,10 @@
|
||||
Differences Between Security Groups and Firewalls
|
||||
=================================================
|
||||
|
||||
You can configure firewall and security group rules to protect the instances in your VPC, such as ECSs, databases, and CCI.
|
||||
You can configure firewall and security group rules to protect the instances in your VPC, such as ECSs, databases, and CCI pods.
|
||||
|
||||
- A security group protects the instances in it.
|
||||
- Firewalls protect associated subnets and all the resources in the subnets.
|
||||
- A Firewall protects associated subnets and all the resources in the subnets.
|
||||
|
||||
For details, see :ref:`Figure 1 <en-us_topic_0052003963__fig9582182315479>`.
|
||||
|
||||
@ -25,20 +25,20 @@ For details, see :ref:`Figure 1 <en-us_topic_0052003963__fig9582182315479>`.
|
||||
|
||||
.. table:: **Table 1** Differences between security groups firewalls
|
||||
|
||||
+-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
||||
+-----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
||||
| Category | Security Group | Firewall |
|
||||
+=======================+=================================================================================================================================================================================+===========================================================================================================================================================================================================================================================+
|
||||
+=======================+========================================================================================================================================================================+===========================================================================================================================================================================================================================================================+
|
||||
| Protection Scope | Protects instances in a security group, such as ECSs, databases, and CCI. | Protects subnets and all the instances in the subnets. |
|
||||
+-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
||||
+-----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
||||
| Rules | Does not support **Allow** or **Deny** rules. | Supports both **Allow** and **Deny** rules. |
|
||||
+-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
||||
| Priority | If there are conflicting rules, they are combined and applied together. | If rules conflict, the rule with the highest priority takes effect. |
|
||||
+-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
||||
| Usage | - When creating an instance, such as an ECS, you must select a security group. If you do not have a security group, the system automatically creates a default security group. | Selecting a firewall is not allowed when you create a subnet. You must create a firewall, add inbound and outbound rules, associate subnets with it, and enable firewall. The firewall then protects the associated subnets and instances in the subnets. |
|
||||
+-----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
||||
| Matching Order | If there are conflicting rules, they are combined and applied together. | If rules conflict, the rule with the highest priority takes effect. |
|
||||
+-----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
||||
| Usage | - When creating an instance, such as an ECS, you must select a security group. If you do not have a security group, a default security group will be created for you. | Selecting a firewall is not allowed when you create a subnet. You must create a firewall, add inbound and outbound rules, associate subnets with it, and enable firewall. The firewall then protects the associated subnets and instances in the subnets. |
|
||||
| | - After creating an instance, you can: | |
|
||||
| | | |
|
||||
| | - Add or remove instances on the security group console. | |
|
||||
| | - Add or remove a security group for an instance on the instance console. | |
|
||||
+-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
||||
| Packets | Only packet filtering based on the 3-tuple (protocol, port, and peer IP address) is supported. | Only packet filtering based on the 5-tuple (protocol, source port, destination port, source IP address, and destination IP address) is supported. |
|
||||
+-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
||||
| | - Add or remove the instance to or from the security group on the security group console. | |
|
||||
| | - Associate or disassociate a security group with or from the instance on the instance console. | |
|
||||
+-----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
||||
| Packets | Packet filtering based on the 3-tuple (protocol, port, and source/destination) is supported. | Packet filtering based on the 5-tuple (protocol, source port, destination port, and source/destination) is supported. |
|
||||
+-----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
||||
|
||||
@ -2,8 +2,8 @@
|
||||
|
||||
.. _acl_0002:
|
||||
|
||||
Firewall Configuration Examples
|
||||
===============================
|
||||
Firewall Configuration Example
|
||||
==============================
|
||||
|
||||
This section provides examples for configuring firewalls.
|
||||
|
||||
@ -31,11 +31,11 @@ Firewall Basics
|
||||
|
||||
- Firewalls use connection tracking to track traffic to and from instances. Changes to inbound and outbound rules do not take effect immediately for the existing traffic.
|
||||
|
||||
If you add, modify, or delete a firewall rule, or add or remove a subnet to or from a firewall, all the inbound and outbound persistent connections will not be disconnected New rules only apply to the new connections.
|
||||
If you add, modify, or delete a firewall rule, or associate or diassociate a subnet with or from a firewall, all the inbound and outbound persistent connections will not be disconnected New rules will only be applied for the new connections.
|
||||
|
||||
.. important::
|
||||
|
||||
After a persistent connection is disconnected, new connection will not be established immediately until the timeout period of connection tracking expires. For example, after an ICMP persistent connection is disconnected, a new connection will be established and a new rule will apply when the timeout period expires(30s).
|
||||
After a persistent connection is disconnected, new connections will not be established immediately until the timeout period of connection tracking expires. For example, after an ICMP persistent connection is disconnected, a new connection will be established and a new rule will apply when the timeout period (30s) expires.
|
||||
|
||||
- The timeout period of connection tracking varies by protocol. The timeout period of a TCP connection in the established state is 600s, and that of an ICMP connection is 30s. For other protocols, if packets are received in both inbound and outbound directions, the connection tracking timeout period is 180s. If packets are received only in one direction, the connection tracking timeout period is 30s.
|
||||
- The timeout period of TCP connections varies by connection status. The timeout period of a TCP connection in the established state is 600s, and that of a TCP connection in the FIN-WAIT state is 30s.
|
||||
|
||||
@ -6,7 +6,7 @@ Firewall
|
||||
========
|
||||
|
||||
- :ref:`Firewall Overview <acl_0001>`
|
||||
- :ref:`Firewall Configuration Examples <acl_0002>`
|
||||
- :ref:`Firewall Configuration Example <acl_0002>`
|
||||
- :ref:`Creating a Firewall <en-us_topic_0051746698>`
|
||||
- :ref:`Adding a Firewall Rule <en-us_topic_0051746702>`
|
||||
- :ref:`Associating Subnets with a Firewall <en-us_topic_0051746700>`
|
||||
@ -25,7 +25,7 @@ Firewall
|
||||
:hidden:
|
||||
|
||||
firewall_overview
|
||||
firewall_configuration_examples
|
||||
firewall_configuration_example
|
||||
creating_a_firewall
|
||||
adding_a_firewall_rule
|
||||
associating_subnets_with_a_firewall
|
||||
|
||||
@ -17,16 +17,16 @@ Security Group Basics
|
||||
|
||||
- Security groups are stateful. If you send a request from your instance and the outbound traffic is allowed, the response traffic for that request is allowed to flow in regardless of inbound security group rules. Similarly, if inbound traffic is allowed, responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules.
|
||||
|
||||
- Security groups use connection tracking to track traffic to and from instances. If the inbound rule of a security group is modified, the new rule immediately takes effect for the existing traffic. Changes to outbound security group rules do not affect existing persistent connections and take effect only for new connections.
|
||||
- Security groups use connection tracking to track traffic to and from instances. If an inbound rule is modified, the modified rule immediately takes effect for the existing traffic. Changes to outbound security group rules do not affect existing persistent connections and take effect only for new connections.
|
||||
|
||||
If you add, modify, or delete a security group rule, or add or remove an instance to or from a security group, the inbound connection of all instances in the security group will be automatically cleared.
|
||||
If you add, modify, or delete a security group rule, or add or remove an instance to or from a security group, the inbound connections of all instances in the security group will be automatically cleared.
|
||||
|
||||
- The existing inbound persistent connections are disconnected. All the new connections matches against the new rules.
|
||||
- The existing outbound persistent connections will not be disconnected. All the new connections matches against the new rules.
|
||||
- The existing inbound persistent connections will be disconnected. All the new connections will match the new rules.
|
||||
- The existing outbound persistent connections will not be disconnected, and the original rule will still be applied. All the new connections will match the new rules.
|
||||
|
||||
.. important::
|
||||
|
||||
After a persistent connection is disconnected, new connection will not be established immediately until the timeout period of connection tracking expires. For example, after an ICMP persistent connection is disconnected, a new connection will be established and a new rule will apply when the timeout period expires(30s).
|
||||
After a persistent connection is disconnected, new connections will not be established immediately until the timeout period of connection tracking expires. For example, after an ICMP persistent connection is disconnected, a new connection will be established and a new rule will apply when the timeout period (30s) expires.
|
||||
|
||||
- The timeout period of connection tracking varies by protocol. The timeout period of a TCP connection in the established state is 600s, and that of an ICMP connection is 30s. For other protocols, if packets are received in both inbound and outbound directions, the connection tracking timeout period is 180s. If packets are received only in one direction, the connection tracking timeout period is 30s.
|
||||
- The timeout period of TCP connections varies by connection status. The timeout period of a TCP connection in the established state is 600s, and that of a TCP connection in the FIN-WAIT state is 30s.
|
||||
|
||||
@ -8,6 +8,10 @@ Change History
|
||||
+-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
||||
| Released On | Description |
|
||||
+===================================+====================================================================================================================================================================================================================================================================================================================================+
|
||||
| 2024-01-16 | This release incorporates the following changes: |
|
||||
| | |
|
||||
| | Modified the figure for creating a subnet in :ref:`Creating a Subnet for the VPC <en-us_topic_0013748726>`, :ref:`Step 2: Create a Subnet for the VPC <vpc_qs_0006>`, and :ref:`Step 2: Create a Subnet for the VPC <vpc_qs_0010>`. |
|
||||
+-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
||||
| 2024-01-02 | This release incorporates the following changes: |
|
||||
| | |
|
||||
| | Modified the parameter descriptions in sections :ref:`Adding a Security Group Rule <en-us_topic_0030969470>` and :ref:`Adding a Firewall Rule <en-us_topic_0051746702>`. |
|
||||
@ -207,8 +211,8 @@ Change History
|
||||
| | |
|
||||
| | Modified the following content: |
|
||||
| | |
|
||||
| | - Added rules in :ref:`Firewall Configuration Examples <acl_0002>`. |
|
||||
| | - Modified :ref:`Does a Security Group Rule or a Firewall Rule Immediately Take Effect for Existing Connections After It Is Modified? <vpc_faq_0074>` |
|
||||
| | - Added rules in :ref:`Firewall Configuration Example <acl_0002>`. |
|
||||
| | - Modified :ref:`Does a Modified Security Group Rule or a Firewall Rule Take Effect Immediately for Existing Connections? <vpc_faq_0074>` |
|
||||
| | - Modified :ref:`Why Can't I Delete My VPCs and Subnets? <vpc_faq_0075>` |
|
||||
+-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
||||
| 2020-02-25 | Added the following content: |
|
||||
@ -235,7 +239,7 @@ Change History
|
||||
| | |
|
||||
| | - Updated screenshots in :ref:`Adding a Security Group Rule <en-us_topic_0030969470>` and :ref:`Fast-Adding Security Group Rules <securitygroup_0004>`. |
|
||||
| | - Optimized figure examples in this document. |
|
||||
| | - Optimized descriptions in :ref:`Firewall Configuration Examples <acl_0002>`. |
|
||||
| | - Optimized descriptions in :ref:`Firewall Configuration Example <acl_0002>`. |
|
||||
| | - Optimized descriptions in :ref:`Firewall Overview <acl_0001>`. |
|
||||
| | - Changed the position of :ref:`Access Control <vpc_securitygroup_0000>`. |
|
||||
| | - Optimized :ref:`What Is a Quota? <vpc_faq_0051>` |
|
||||
@ -268,7 +272,7 @@ Change History
|
||||
| | - Optimized description about the scenario in :ref:`Creating an Alarm Rule <vpc010014>`. |
|
||||
| | - Updated screenshots in :ref:`Adding a Security Group Rule <en-us_topic_0030969470>` and :ref:`Fast-Adding Security Group Rules <securitygroup_0004>`. |
|
||||
| | - Optimized figure examples in this document. |
|
||||
| | - Optimized descriptions in :ref:`Firewall Configuration Examples <acl_0002>`. |
|
||||
| | - Optimized descriptions in :ref:`Firewall Configuration Example <acl_0002>`. |
|
||||
| | - Optimized descriptions in :ref:`Firewall Overview <acl_0001>`. |
|
||||
| | - Changed the position of :ref:`Access Control <vpc_securitygroup_0000>`. |
|
||||
| | |
|
||||
|
||||
@ -2,23 +2,23 @@
|
||||
|
||||
.. _vpc_faq_0074:
|
||||
|
||||
Does a Security Group Rule or a Firewall Rule Immediately Take Effect for Existing Connections After It Is Modified?
|
||||
====================================================================================================================
|
||||
Does a Modified Security Group Rule or a Firewall Rule Take Effect Immediately for Existing Connections?
|
||||
========================================================================================================
|
||||
|
||||
- Security groups use connection tracking to track traffic to and from instances. If the inbound rule of a security group is modified, the new rule immediately takes effect for the existing traffic. Changes to outbound security group rules do not affect existing persistent connections and take effect only for new connections.
|
||||
- Security groups use connection tracking to track traffic to and from instances. If an inbound rule is modified, the modified rule immediately takes effect for the existing traffic. Changes to outbound security group rules do not affect existing persistent connections and take effect only for new connections.
|
||||
|
||||
If you add, modify, or delete a security group rule, or add or remove an instance to or from a security group, the inbound connection of all instances in the security group will be automatically cleared.
|
||||
If you add, modify, or delete a security group rule, or add or remove an instance to or from a security group, the inbound connections of all instances in the security group will be automatically cleared.
|
||||
|
||||
- The existing inbound persistent connections are disconnected. All the new connections matches against the new rules.
|
||||
- The existing outbound persistent connections will not be disconnected. All the new connections matches against the new rules.
|
||||
- The existing inbound persistent connections will be disconnected. All the new connections will match the new rules.
|
||||
- The existing outbound persistent connections will not be disconnected, and the original rule will still be applied. All the new connections will match the new rules.
|
||||
|
||||
- Firewalls use connection tracking to track traffic to and from instances. Changes to inbound and outbound rules do not take effect immediately for the existing traffic.
|
||||
|
||||
If you add, modify, or delete a firewall rule, or add or remove a subnet to or from a firewall, all the inbound and outbound persistent connections will not be disconnected New rules only apply to the new connections.
|
||||
If you add, modify, or delete a firewall rule, or associate or diassociate a subnet with or from a firewall, all the inbound and outbound persistent connections will not be disconnected New rules will only be applied for the new connections.
|
||||
|
||||
.. important::
|
||||
|
||||
After a persistent connection is disconnected, new connection will not be established immediately until the timeout period of connection tracking expires. For example, after an ICMP persistent connection is disconnected, a new connection will be established and a new rule will apply when the timeout period expires(30s).
|
||||
After a persistent connection is disconnected, new connections will not be established immediately until the timeout period of connection tracking expires. For example, after an ICMP persistent connection is disconnected, a new connection will be established and a new rule will apply when the timeout period (30s) expires.
|
||||
|
||||
- The timeout period of connection tracking varies by protocol. The timeout period of a TCP connection in the established state is 600s, and that of an ICMP connection is 30s. For other protocols, if packets are received in both inbound and outbound directions, the connection tracking timeout period is 180s. If packets are received only in one direction, the connection tracking timeout period is 30s.
|
||||
- The timeout period of TCP connections varies by connection status. The timeout period of a TCP connection in the established state is 600s, and that of a TCP connection in the FIN-WAIT state is 30s.
|
||||
@ -8,7 +8,7 @@ Security
|
||||
- :ref:`Why Can't I Delete a Security Group? <faq_security_0003>`
|
||||
- :ref:`Can I Change the Security Group of an ECS? <vpc_faq_0039>`
|
||||
- :ref:`How Do I Configure a Security Group for Multi-Channel Protocols? <vpc_faq_0059>`
|
||||
- :ref:`Does a Security Group Rule or a Firewall Rule Immediately Take Effect for Existing Connections After It Is Modified? <vpc_faq_0074>`
|
||||
- :ref:`Does a Modified Security Group Rule or a Firewall Rule Take Effect Immediately for Existing Connections? <vpc_faq_0074>`
|
||||
- :ref:`Which Security Group Rule Has a High Priority When Multiple Security Group Rules Conflict? <vpc_faq_0077>`
|
||||
|
||||
.. toctree::
|
||||
@ -18,5 +18,5 @@ Security
|
||||
why_cant_i_delete_a_security_group
|
||||
can_i_change_the_security_group_of_an_ecs
|
||||
how_do_i_configure_a_security_group_for_multi-channel_protocols
|
||||
does_a_security_group_rule_or_a_firewall_rule_immediately_take_effect_for_existing_connections_after_it_is_modified
|
||||
does_a_modified_security_group_rule_or_a_firewall_rule_take_effect_immediately_for_existing_connections
|
||||
which_security_group_rule_has_a_high_priority_when_multiple_security_group_rules_conflict
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user