• Bare Metal Server

bms
  1. Help Center
  2. Bare Metal Server
  3. User Guide
  4. Network
  5. Configuring the Security Group

Configuring the Security Group

Adding a Security Group Rule

The default security group rule allows all outgoing data packets. BMSs in a security group can access each other without the need to add access rules. After a security group is created, you can create different access rules for the security group to protect the BMSs that are added to this security group.

NOTE:

You can add only one security group when creating a BMS. After the BMS is created, you can modify the security group of each NIC on the BMS details page.

To access BMSs in a security group from external resources, create an inbound rule for the security group. It is recommended that you divide BMSs that have different Internet access policies into different security groups.

NOTE:

The default source IP address 0.0.0.0/0 indicates that all IP addresses can access BMSs in the security group.

  1. Log in to the management console.
  2. Click in the upper left corner and select the desired region and project.
  3. Under Computing, click Bare Metal Server.
  4. In the BMS list, click the name of the BMS whose security group rules you want to modify.

    The page showing details of the BMS is displayed.

  5. Click the Security Group tab and then to query security group rules.
  6. Click the security group ID.

    The system automatically switches to the Security Group page.

  7. Click Manage Rule in the Operation column. On the security group details page, add a rule.

    Value Inbound indicates that traffic enters the security group, and value Outbound indicates that traffic leaves the security group.

    Table 1 Parameter description

    Parameter

    Description

    Example Value

    Protocol

    Specifies the network protocol for which the security group rule takes effect. The value can be TCP, UDP, ICMP, HTTP, or others.

    TCP

    Port

    Specifies the port or port range for which the security group rule takes effect. The value ranges from 0 to 65535.

    22 or 22-30

    Source

    Specifies the source for which the security group rule takes effect. This parameter is required when Transfer Direction is set to Inbound. The value can be an IP address or a security group.

    0.0.0.0/0

    default

    Destination

    Specifies the destination for which the security group rule takes effect. This parameter is required when Transfer Direction is set to Outbound. The value can be an IP address or a security group.

    0.0.0.0/0

    default

BMS Security Group Configuration Examples

Configure security groups based on actual network environment requirements. This section describes common security group configurations for your reference.

  • Example One: BMSs in Different Security Groups Need to Communicate with Each Other Through an Internal Network.
    • Scenario:

      Resources on a BMS in a security group need to be copied to a BMS in another security group. The two BMSs are under the same account and in the same region. Then, you can enable internal network communication between the two BMSs and copy resources.

    • Security Group Configuration:

      In the same region and under the same account, BMSs in the same security group can communicate with each other by default, and no configuration is required. However, BMSs in different security groups cannot communicate with each other by default. You must add security group rules to enable the BMSs to communicate with each other through an internal network.

      To enable the communication, you can add an inbound rule to each security group containing the BMSs to allow access from BMSs in the other security group. The security group rule is as follows.

      Protocol

      Transfer Direction

      Port Range/ICMP Protocol Type

      Source

      Protocol to be used for internal network communication. Supported values are TCP, UDP, ICMP, and ANY.

      Inbound

      Port number range or ICMP protocol type

      IPv4 address, IPv4 CIDR block, or another security group ID

      NOTE:

      The source can be an IPv4 address, IPv4 CIDR block, or security group ID. If you want to set the target to a specific IP address, the subnet mask must be 32.

  • Example Two: Only Specified IP Addresses Can Remotely Access BMSs in a Security Group.
    • Scenario:

      To prevent BMSs from being attacked, you can change the port number for remote login and configure security group rules that allow only specified IP addresses to remotely access the BMSs.

    • Security Group Configuration:

      To allow IP address 192.168.20.2 to remotely access Linux BMSs in a security group over the TCP protocol and port 22, you can configure the following security group rule.

      Protocol

      Transfer Direction

      Port Range

      Source

      TCP

      Inbound

      22

      IPv4 address, IPv4 CIDR block, or another security group ID

      For example, 192.168.20.2

  • Example Three: Any Public IP Address Can Remotely Access BMSs in a Security Group.
    • Scenario:

      Any public IP address can access BMSs in a security group.

    • Security Group Configuration:

      To allow any public IP address to access Linux BMSs in a security group over the TCP protocol, you can configure the following security group rule.

      Protocol

      Transfer Direction

      Port Range

      Source

      TCP

      Inbound

      22

      0.0.0.0/0

      To allow any public IP address to access Windows BMSs in a security group over the TCP protocol, you can configure the following security group rule.

      Protocol

      Transfer Direction

      Port Range

      Source

      TCP

      Inbound

      3389

      0.0.0.0/0

  • Example Four: Any Public IP Addresses Can Access BMSs in a Security Group over the HTTP or HTTPS Protocol.
    • Scenario:

      After websites are deployed on BMSs in a security group, you must enable users to use any public IP addresses to access the BMSs over the HTTP or HTTPS protocol.

    • Security Group Configuration:

      To enable any public IP address to access BMSs in a security group over the HTTP or HTTPS protocol, you need to configure the following two security group rules.

      Protocol

      Transfer Direction

      Port Range

      Source

      TCP

      Inbound

      80 (HTTP)

      0.0.0.0/0

      TCP

      Inbound

      443 (HTTPS)

      0.0.0.0/0