ZStack Cloud Platform
Single Server, Free Trial for One Year
-
Documentation&Tools
Comprehensive product documentation and tools
-
Support & Services
Upholding the value of Customer First and the mission of Serving Customer, ZStack is dedicated to providing secure and stable services for customers.
-
Training & Certification
To educate ZStack partners and interested individuals about cloud computing and to cultivate cloud computing talent.
-
Content
ZStack provides innovative cloud infrastructure for ten major industries
VMware-to-ZStack Case Collection
The report provides three major
solutions and customer case studies for transitioning from VMware to ZStack.
Network Service
ZStack ZSphere provides security group network services to ensure the security of east-west traffic between virtual machines.
Security Group
This section describes how security groups work and how to use them:
Overview
Security Group: A security group provides security control services for VM NICs. It filters the ingress or egress TCP, UDP, and ICMP packets of VM NICs based on the specified security rules.
Functional Framework
Security groups control traffic to and from network interfaces through security rules within the group. A network interface can be part of multiple security groups, and by setting the priority of security groups, traffic is first matched against rules in the higher-priority groups.
A security group can contain multiple security rules. Based on their creation mechanism, these can be divided into system rules and custom rules:
- System Rules: After creating a new security group, the system provides two default rules:
- Intra-Group Communication Rule: Network interfaces within the same security group are allowed to communicate with each other by default. This rule has a higher priority than all custom rules and cannot be modified or deleted, only disabled.
- Intra-/Inter-Group Communication Rule: Network interfaces within the security group are allowed to access interfaces outside the security group by default, but interfaces outside the group are not allowed to access those inside by default. This rule has a lower priority than all custom rules and supports modifying the default intra-group and inter-group access behavior for individual virtual machine network interfaces.
- Custom Rules: Rules added to the security group by users.
The security group rules consist of direction, target, action, protocol & port, and priority:
- Rule Direction: Security group rules primarily control the source or destination of traffic. Based on the direction of traffic flow, they can be categorized as inbound rules and outbound rules:
- Inbound Rule: For traffic entering the network interface from the outside, primarily controlling the source of traffic.
- Outbound Rule: For traffic sent out from the network interface, primarily controlling the destination of traffic.
- Rule Target: The target of the security group rule (inbound/outbound rule), including source and destination:
- Source: Corresponds to the inbound rule, supporting the use of IP addresses/ranges or security groups as sources. Inbound rules allow/reject traffic from the specified IP addresses/ranges or security groups.
- Destination: Corresponds to the outbound rule, supporting the use of IP addresses/ranges or security groups as destinations. Outbound rules allow/reject traffic from the current group's network interfaces to the target IP addresses/ranges or security groups.
- Action: The specific action taken for traffic matching the rule conditions, including Allow and Deny:
- Allow: Allows network request traffic to flow into or out of the network interface.
- Deny: Does not allow network request traffic to flow into or out of the network interface.
By default, if traffic entering or leaving the network interface does not match any custom rules, inbound traffic is denied and outbound traffic is allowed.
- Protocol and Port: The packet protocol and corresponding port targeted by the rule. Protocols include ALL, TCP, UDP, and ICMP:
- ALL: Indicates coverage of all protocol types, and ports cannot be specified.
- TCP: Supports ports 1-65535.
- UDP: Supports ports 1-65535.
- ICMP: Does not support specifying a port.
- Priority: The relative precedence of one security group rule over others, with supported values ranging from 1 to 100. Higher numbers indicate lower priority.
Create a Security Group and Related Rules
To use security groups with your virtual machine, you need to create a new security group, add rules to the security group, and bind the security group to the NIC:
Create a Security Group
On the ZStack ZSphere platform, select the target data center, then click , and follow the configuration below to create a new security group:
- Name: Enter the name for the security group.
- Description: Provide a description for the security group.
After clicking OK, the new security group will be created.
Add Rules
After creating a new security group, you can add individual or batch inbound and outbound rules to the security group on its Overview page.
Add Individually: Depending on the direction of the rule you wish to add, select the Ingress Rule or Egress Rule tab, and click the Add Rule button. Follow the example below to add the rule:
- Type: The direction of traffic controlled by the rule, displayed as Ingress or Egress.
- Priority: The priority of the rule, which automatically increments by 1 for each new rule added. Higher numbers indicate lower priority.
- IP Address Type: Supports IPv4 address type.
- Protocol: The communication protocol targeted by the rule, supporting ALL, TCP, UDP, and ICMP.
- Port: When selecting TCP or UDP, specify the port targeted by the rule:
- If specifying a range of ports, use the format
Start Port-End Port. - If specifying multiple ports or ranges, separate them with an English comma “,”. You can specify up to 10 ports or ranges.
- If specifying a range of ports, use the format
- Source: Required when adding an inbound rule, indicating whether to allow or deny traffic from the specified IP addresses/ranges or security groups:
- When specifying by IP address/range, you can enter a range using the format
Start IP-End IP. - When specifying by IP address/range, you can enter CIDR notation. If specifying CIDR along with other types of IP addresses, the CIDR mask must be 24 bits. If specifying only CIDR, there is no limit on the mask.
- If specifying multiple IP addresses/ranges, separate them with an English comma “,”.
- When specifying by IP address/range, you can enter a range using the format
- Destination: Required when adding an outbound rule, indicating whether to allow or deny traffic from the NICs in this group to the specified IP addresses or security groups:
- When specifying by IP address/range, you can enter a range using the format
Start IP-End IP. - When specifying by IP address/range, you can enter CIDR notation. If specifying CIDR along with other types of IP addresses, the CIDR mask must be 24 bits. If specifying only CIDR, there is no limit on the mask.
- If specifying multiple IP addresses/ranges, separate them with an English comma “,”.
- When specifying by IP address/range, you can enter a range using the format
- State: Whether to enable the rule immediately after creating the security group. By default, the rule is enabled. If set to disabled, the interfaces in the group will not match this rule until you manually enable it.
- Description: Description of the security group rule.
Batch Add: You can add multiple inbound and outbound rules to a security group by importing rules:
- Click , upload a CSV file, and click OK. The rules will be imported successfully.
Note: - The imported rules will not affect existing rules. Their priority will default to be placed after existing rules and will be in a disabled state.
- After import, users can manually adjust the priority and enable these rules.
- To ensure system compatibility, the imported file must be edited using Microsoft Excel.
- If you need to reuse the rules of one security group for another security group, you can do the following on the security group page, depending on the scenario:
- If you only need to export inbound rules or outbound rules, you can click the download button at the top right of the rule list under the corresponding tab and choose to export the current page or all . This will export the rules in CSV format.
- If you need to export all inbound and outbound rules, click . This will export the rules in CSV format.
Associate VM NIC
After adding rules to a security group, you can choose the following paths to bind the security group to virtual machine NICs based on your scenario:
- If you need to bind the security group to multiple virtual machine NICs, you can select target interfaces in bulk on the VM NIC page of the security group, and follow the example below to bind them:
- Network: Select the network scope applicable to the security group, choosing either all distributed port groups or specific port groups in the data center.
- NIC: Select target NIC to bind.Note: If the IP address of a virtual machine NIC is shown as empty on the platform, the default security group rule (intra-group communication rule) will not apply to that interface.
- If you need to bind multiple security groups to a virtual machine NIC, you can do so on the Overview page of the target virtual machine, using Edit Configuration to bind security groups to the virtual machine NICs in bulk. The smaller the number assigned to a security group, the higher its priority for taking effect.Note: Please configure carefully to avoid conflicts between rules across different security groups.
Next Chapter: Resource Monitoring