vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/sfs/umn/sfs_01_0081.html
zhangyue 5da982a576 SFS UMN DOC 
Reviewed-by: Muller, Martin <martin.muller@t-systems.com>
Co-authored-by: zhangyue <zhangyue164@huawei.com>
Co-committed-by: zhangyue <zhangyue164@huawei.com>
2023-05-01 08:03:33 +00:00

78 lines
7.5 KiB
HTML
Raw Blame History

<a name="sfs_01_0081"></a><a name="sfs_01_0081"></a>
<h1 class="topictitle1">Does the Security Group of a VPC Affect SFS?</h1>
<div id="body1469764805162"><p id="sfs_01_0081__p4149039720172">A security group is a collection of access control rules for servers that have the same security protection requirements and are mutually trusted in a VPC. After a security group is created, you can create different access rules for the security group to protect the servers that are added to this security group. The default security group rule allows all outgoing data packets. Servers in a security group can access each other without the need to add rules. The system creates a security group for each cloud account by default. Users can also create custom security groups by themselves.</p>
<p id="sfs_01_0081__p75991947521">After an SFS Turbo file system is created, the system automatically enables the security group port required by the NFS protocol in the SFS Turbo file system. This ensures that the SFS Turbo file system can be accessed by your server and prevents file system mounting failures. The inbound ports required by the NFS protocol are ports 111, 2049, 2051, 2052, and 20048. If you need to change the enabled ports, choose <strong id="sfs_01_0081__b4783114185513">Access Control</strong> &gt; <strong id="sfs_01_0081__b1578815418552">Security Groups</strong> of the VPC console and locate the target security group.</p>
<p id="sfs_01_0081__p12100223153518">You are advised to use an independent security group for an SFS Turbo instance to isolate it from service nodes.</p>
<p id="sfs_01_0081__p562413181817">You need to add inbound and outbound rules for the security group of an SFS Capacity-Oriented file system. For details, see section "Adding a Security Group Rule" in the <em id="sfs_01_0081__i535012883117">Virtual Private Cloud User Guide</em>. In an SFS Capacity-Oriented file system, the inbound ports required by the NFS protocol are ports 111, 2049, 2051, and 2052. The inbound port required by the DNS server is port 53.</p>
<div class="section" id="sfs_01_0081__section54544852203537"><h4 class="sectiontitle">Example Value</h4><ul id="sfs_01_0081__ul38128727205616"><li id="sfs_01_0081__li3988377205616">Inbound rule
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="sfs_01_0081__table54184017205651" frame="border" border="1" rules="all"><thead align="left"><tr id="sfs_01_0081__row35424582205651"><th align="left" class="cellrowborder" valign="top" id="mcps1.3.5.2.1.1.1.7.1.1"><p id="sfs_01_0081__p50818907205651">Direction</p>
</th>
<th align="left" class="cellrowborder" valign="top" id="mcps1.3.5.2.1.1.1.7.1.2"><p id="sfs_01_0081__p22690788205651">Protocol</p>
</th>
<th align="left" class="cellrowborder" valign="top" id="mcps1.3.5.2.1.1.1.7.1.3"><p id="sfs_01_0081__p26014538205651">Port Range</p>
</th>
<th align="left" class="cellrowborder" colspan="2" valign="top" id="mcps1.3.5.2.1.1.1.7.1.4"><p id="sfs_01_0081__p26802804205651">Source IP Address</p>
</th>
<th align="left" class="cellrowborder" valign="top" id="mcps1.3.5.2.1.1.1.7.1.5"><p id="sfs_01_0081__p8223146205917">Description</p>
</th>
</tr>
</thead>
<tbody><tr id="sfs_01_0081__row23543498205651"><td class="cellrowborder" valign="top" width="14.141414141414144%" headers="mcps1.3.5.2.1.1.1.7.1.1 "><p id="sfs_01_0081__p27975222205651">Inbound</p>
</td>
<td class="cellrowborder" valign="top" width="13.131313131313133%" headers="mcps1.3.5.2.1.1.1.7.1.2 "><p id="sfs_01_0081__p51400477205651">TCP and UDP</p>
</td>
<td class="cellrowborder" valign="top" width="12.121212121212121%" headers="mcps1.3.5.2.1.1.1.7.1.3 "><p id="sfs_01_0081__p2689129205651">111</p>
</td>
<td class="cellrowborder" valign="top" width="11.111111111111112%" headers="mcps1.3.5.2.1.1.1.7.1.4 "><p id="sfs_01_0081__p16492930205651">IP Address</p>
</td>
<td class="cellrowborder" valign="top" width="11.111111111111112%" headers="mcps1.3.5.2.1.1.1.7.1.4 "><p id="sfs_01_0081__p60858959205651">0.0.0.0/0 (configurable)</p>
</td>
<td class="cellrowborder" valign="top" width="38.38383838383839%" headers="mcps1.3.5.2.1.1.1.7.1.5 "><p id="sfs_01_0081__p5197130205930">One port corresponds to one access rule. You need to add information to the ports one by one.</p>
</td>
</tr>
</tbody>
</table>
</div>
</li><li id="sfs_01_0081__li20966933205621">Outbound rule
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="sfs_01_0081__table44923309203526" frame="border" border="1" rules="all"><thead align="left"><tr id="sfs_01_0081__row52561756203526"><th align="left" class="cellrowborder" valign="top" id="mcps1.3.5.2.2.1.1.7.1.1"><p id="sfs_01_0081__p49783918204530">Direction</p>
</th>
<th align="left" class="cellrowborder" valign="top" id="mcps1.3.5.2.2.1.1.7.1.2"><p id="sfs_01_0081__p55722220204537">Protocol</p>
</th>
<th align="left" class="cellrowborder" valign="top" id="mcps1.3.5.2.2.1.1.7.1.3"><p id="sfs_01_0081__p11644070203526">Port Range</p>
</th>
<th align="left" class="cellrowborder" colspan="2" valign="top" id="mcps1.3.5.2.2.1.1.7.1.4"><p id="sfs_01_0081__p3645591203526">Source IP Address</p>
</th>
<th align="left" class="cellrowborder" valign="top" id="mcps1.3.5.2.2.1.1.7.1.5"><p id="sfs_01_0081__p8146189211017">Description</p>
</th>
</tr>
</thead>
<tbody><tr id="sfs_01_0081__row26857486203526"><td class="cellrowborder" valign="top" width="14.000000000000002%" headers="mcps1.3.5.2.2.1.1.7.1.1 "><p id="sfs_01_0081__p13451176204530">Outbound</p>
</td>
<td class="cellrowborder" valign="top" width="13%" headers="mcps1.3.5.2.2.1.1.7.1.2 "><p id="sfs_01_0081__p51509273204537">TCP and UDP</p>
</td>
<td class="cellrowborder" valign="top" width="12%" headers="mcps1.3.5.2.2.1.1.7.1.3 "><p id="sfs_01_0081__p53386267203526">111</p>
</td>
<td class="cellrowborder" valign="top" width="12%" headers="mcps1.3.5.2.2.1.1.7.1.4 "><p id="sfs_01_0081__p29320371203526">IP Address</p>
</td>
<td class="cellrowborder" valign="top" width="11%" headers="mcps1.3.5.2.2.1.1.7.1.4 "><p id="sfs_01_0081__p37075380204554">0.0.0.0/0 (configurable)</p>
</td>
<td class="cellrowborder" valign="top" width="38%" headers="mcps1.3.5.2.2.1.1.7.1.5 "><p id="sfs_01_0081__p28494090211017">One port corresponds to one access rule. You need to add information to the ports one by one.</p>
</td>
</tr>
</tbody>
</table>
</div>
<div class="note" id="sfs_01_0081__note588121295516"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="sfs_01_0081__p07266451875">The bidirectional access rule must be configured for port <strong id="sfs_01_0081__b728519224818">111</strong>. The inbound rule can be set to the front-end service IP range of SFS. You can obtain it by running the following command: <strong id="sfs_01_0081__b15871164311537">ping</strong> <em id="sfs_01_0081__i16670105913539">File system domain name or IP address</em> or <strong id="sfs_01_0081__b721754255418">dig</strong> <em id="sfs_01_0081__i631215362547">File system domain name or IP address</em>.</p>
<p id="sfs_01_0081__p5881112145518">For ports <strong id="sfs_01_0081__b842352706173827">2049</strong>, <strong id="sfs_01_0081__b842352706173831">2050</strong>, <strong id="sfs_01_0081__b842352706173834">2051</strong>, and <strong id="sfs_01_0081__b842352706173837">2052</strong>, only the outbound rule needs to be added, which is the same as the outbound rule of port <strong id="sfs_01_0081__b84235270617399">111</strong>.</p>
</div></div>
</li></ul>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="sfs_01_0079.html">Networks</a></div>
</div>
</div>
View Git Blame Copy Permalink