Overview of security groups

Security groups are an important means of network security and isolation provided by Kingsoft Cloud. As stateful virtual firewalls for servers, security groups are used to configure the control over network access of KEC instances, EPC instances, GPU products, and cloud database products.

As a logical group, a security group can include instances that have the same requirements for network security and isolation and are in the same region. For enhanced security, it can work with security group policies to filter inbound and outbound traffic of the instances.

Terms

• Default security group: Each VPC region of Kingsoft Cloud contains a default security group. The default security group allows all outbound VPC traffic, and the processing method of inbound traffic is related to the type of protocols (for more information, see the following table Comparison between security group features. You can modify the rules of the default security group or create new security groups as needed.
• Multiple security groups: In a VPC environment, the network interface cards (NICs) of an instance can be associated with multiple security groups. While associating with those groups, the NICs will match the rules of the groups. Because the rules are Allow rules, traffic is allowed to pass through as long as it matches one rule.
• Security group rules: These are the specific rules of a security group for controlling inbound and outbound traffic. They are divided into inbound rules and outbound rules.
• Stateful security rules: A stateful security rule allows packets to be sent as long as they can be received, or vice versa.

Precautions

• Traffic between multiple KEC instances on the same subnet is restricted by security groups.
• Traffic between multiple EPC instances on the same subnet is not restricted by security groups.

Comparison between security group features

Note: If the security group rules of an EPC instance handling the IP and UDP protocols allow all outbound traffic by default, all inbound traffic is also allowed by default. To improve security of the EPC instance, it is recommended that you configure a fixed port for its security group to access external networks over UDP instead of configuring the CIDR block 0.0.0.0/0 in an outbound rule.

Example: Instance A is added to Security group 2 that does not have inbound rules but have an outbound rule that allows all traffic. Instance B is added to Security group 1 that has rules allowing all inbound and outbound traffic.

The configuration result is as follows:

• Instance A can ping Instance B. This is because Security group 2 allows outbound traffic from Instance A and security rules are stateful. As a result, although no inbound rule is configured, the inbound response data corresponding to the outbound traffic is still allowed.
• Instance B cannot ping Instance A.

Security group rules

Security group rules control the inbound and outbound traffic of the associated instances. The rules are matched from up to down based on the sequence they are in the security group list.

Each rule of a security group can specify the following parameters:

• Protocol: such as TCP, UDP, or ICMP.
• Behavior:the default value is Allow.
• Port: the range of source and destination ports.
• Source IP (inbound rule) or destination IP (outbound rule): A single IP address or a range of IP addresses (in CIDR notation).

Common types of security group rules

• If a security group is configured with the following inbound rule, instances in the security group can be accessed by any address through any port. Note that this configuration has certain security risks. It is recommended that you configure your security group rules as required.

  

• If a security group is configured with a specified port and protocol, KEC or EPC instances in the security group can be accessed by any address through the specified port. For example: A Linux instance requires SSH, so you can configure TCP, port 22, and 0.0.0.0/0. It is recommended that users that do not have specific requirements use this type of rules.

  

• If a security group is configured with a specified port, protocol, and source CIDR block, KEC or EPC instances in the security group can only be accessed by the specified CIDR block through the specified port. In the following example, only the CIDR block 120.1.2.3/32 can access port 22 of the instances. It is recommended that users that have specific requirements use this type of rules.