Does the Security Group of a VPC Affect the Use of SFS Turbo?
A security group is a collection of access control rules for cloud servers that have the same security protection requirements and are mutually trusted in a VPC. After a security group is created, you can create different access rules for the security group to protect the cloud servers that are added to this security group. The default security group rule allows all outgoing data packets. Cloud servers in a security group can access each other without the need to add rules. The system creates a security group for each cloud account by default. You can also create custom security groups by yourself.
For an SFS Turbo file system, the system automatically enables the security group ports required by NFS after the file system is created. This ensures that the SFS Turbo file system can be successfully mounted to your servers. The inbound ports required by NFS are ports 111, 2049, 2051, 2052, and 20048. If you need to change the enabled ports, go to the VPC console, choose Access Control > Security Groups, locate the target security group, and change the ports. You are advised to use an independent security group for an SFS Turbo file system to isolate it from service nodes.
Example Configuration
- Inbound rule
Direction
Protocol
Port Range
Source IP Address
Description
Inbound
TCP and UDP
111
IP Address
0.0.0.0/0 (All IP addresses are allowed. It can be modified.)
One port corresponds to one access rule. You need to add rules for the ports one by one.
- Outbound rule
Direction
Protocol
Port Range
Source IP Address
Description
Outbound
TCP and UDP
111
IP Address
0.0.0.0/0 (All IP addresses are allowed. It can be modified.)
One port corresponds to one access rule. You need to add rules for the ports one by one.
Enter an IP address range using a mask. For example, enter 192.168.1.0/24, and do not enter 192.168.1.0-192.168.1.255. If the source IP address is 0.0.0.0/0, all IP addresses are allowed. For more information, see Security Groups and Security Group Rules.
A bidirectional access rule must be configured for port 111. You can configure the frontend service IP address range of SFS Turbo as the inbound rule. Run ping File system domain name or IP address or dig File system domain name or IP address to obtain the IP address range.
For ports 2049, 2051, 2052, and 20048, outbound rules need to be added, which are the same as the outbound rule of port 111.
If NFS is used, add inbound rules for the following ports: 111 (TCP and UDP), 2049 (TCP and UDP), 2051 (TCP), 2052 (TCP), 20048 (UDP and TCP). If UDP is not enabled on port 2049 and 20048, mounting the file system may take a long time. You can use the -o tcp option in the mount command to avoid this issue.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.