All Documents
Current Document
Content is empty
If you don't find the content you expect, please try another search term
Found 0 result in total
Content is empty
If you don't find the content you expect, please try another search term
Last updated:2021-08-04 11:26:16
Security groups are an important means of network security and isolation provided by Kingsoft Cloud. As stateful virtual firewalls for servers, security groups are used to configure the control over network access of KEC instances, EPC instances, GPU products, and cloud database products.
As a logical group, a security group can include instances that have the same requirements for network security and isolation and are in the same region. For enhanced security, it can work with security group policies to filter inbound and outbound traffic of the instances.
| Security group feature | KEC instance | EPC instance |
|---|---|---|
| Outbound traffic | All traffic is allowed by default | All traffic is allowed by default |
| Inbound traffic (TCP/ICMP) | All traffic is denied by default | All traffic is denied by default |
| Inbound traffic (IP/UDP) | All traffic is denied by default | All traffic is allowed by default |
| Configure whitelist (allow traffic) | Yes | Yes |
| Configure blacklist (deny traffic) | No | No |
| Instances in the same security group | Can directly communicate with one another | Can directly communicate with one another |
| Instances in different security groups | Cannot communicate with one another by default | Can communicate with one another by default |
| Instances on the same subnet but in different security groups | Cannot communicate with one another by default | Can directly communicate with one another |
| Number of security groups associated with each instance | 5 | 3 |
| Minimum number of security groups associated with each instance | 1 | 1 |
| Stateful security group rules | Supported | Supported |
| Protocols supported by security groups | IP (all protocols), TCP, UDP, ICMP | IP (all protocols), TCP, UDP, ICMP |
Note: If the security group rules of an EPC instance handling the IP and UDP protocols allow all outbound traffic by default, all inbound traffic is also allowed by default. To improve security of the EPC instance, it is recommended that you configure a fixed port for its security group to access external networks over UDP instead of configuring the CIDR block 0.0.0.0/0 in an outbound rule.
Example: Instance A is added to Security group 2 that does not have inbound rules but have an outbound rule that allows all traffic. Instance B is added to Security group 1 that has rules allowing all inbound and outbound traffic.
The configuration result is as follows:
- Instance A can ping Instance B. This is because Security group 2 allows outbound traffic from Instance A and security rules are stateful. As a result, although no inbound rule is configured, the inbound response data corresponding to the outbound traffic is still allowed.
- Instance B cannot ping Instance A.
Security group rules control the inbound and outbound traffic of the associated instances. The rules are matched from up to down based on the sequence they are in the security group list.
Each rule of a security group can specify the following parameters:
If a security group is configured with the following inbound rule, instances in the security group can be accessed by any address through any port. Note that this configuration has certain security risks. It is recommended that you configure your security group rules as required.
If a security group is configured with a specified port and protocol, KEC or EPC instances in the security group can be accessed by any address through the specified port. For example: A Linux instance requires SSH, so you can configure TCP, port 22, and 0.0.0.0/0. It is recommended that users that do not have specific requirements use this type of rules.
If a security group is configured with a specified port, protocol, and source CIDR block, KEC or EPC instances in the security group can only be accessed by the specified CIDR block through the specified port. In the following example, only the CIDR block 120.1.2.3/32 can access port 22 of the instances. It is recommended that users that have specific requirements use this type of rules.
Pure Mode
