What Are the Security Group Authorization Rules for Cloud Phones Using Custom Networks?
If you set Network to Custom when you create a cloud phone server, a cph_admin_trust agency will be created for you. This agency has the VPC FullAccess permission.
To authorize the Cloud Phone service to create an agency for you, ensure that your login user has the Security Administrator permission or the fine-grained permission iam:agencies:createAgency for creating agencies. For more information, see Permission Management.
The Cloud Phone service will use the agency to perform the following operations:
- Create an elastic NIC, EIP, and virtual IP address for a general-purpose or gaming cloud phone.
- Create a security group named system-cph-sg for a cloud phone and gaming phone server, and set the port or port range based on Figure 1 and Figure 2.
- Port 22 is used by the Internet to connect to the cloud phone using ADB and through the SSH encryption tunnel.
- Ports 10000 to 19000 are mapped to the available application ports of each general-purpose or gaming cloud phone. You can view the available application ports on each cloud phone in the cloud phone details.
- The CPH deny rule for tenant vpc rule is used to restrict the cloud phones virtualized the servers in the same VPC so that the phones cannot access each other through ports 1 to 9999.
By default, if an ECS and cloud phone are in the same VPC, the ECS cannot access the cloud phone through ports 1 to 9999. If you want to allow such access, add a security group rule with a higher priority. For example, if the IP address of an ECS is 192.168.0.164 and you want to access a cloud phone through port 4555, add the following inbound rule:
- Priority: Set it to 1.
- Action: Select Allow.
- Protocol & Port: Set the port to 4555.
- Source: Enter 192.168.0.164.
Did this article solve your problem?
Thank you for your score!Your feedback would help us improve the website.