Help Center> Virtual Private Cloud> Best Practices> Using IP Address Groups to Reduce the Number of Security Group Rules
Updated on 2022-09-01 GMT+08:00

Using IP Address Groups to Reduce the Number of Security Group Rules

Scenarios

Finance and securities enterprises have high security requirements when planning cloud networks. Access to servers is often controlled based on IP addresses. To simplify security group rule configuration and provide refined security control, you can use IP address groups in case of the following scenarios:

  • A security group has more than 40 rules.
  • The direction, type, protocol, and port of security group rules are the same except the address.

Constraints

  • An IP address group can contain a maximum of 20 IP addresses or IP address ranges.

Prerequisites

You have created one or more security groups for access control.

Typical Case

For example, you plan to configure the following rules for security group A.

Direction

Type

Protocol

Port Range

Source/Destination

Inbound

IPv4

TCP

22122

Source: 11.19.255.64/30

Inbound

IPv4

TCP

22122

Source: 113.31.128.252/30

Inbound

IPv4

TCP

22122

Source: 113.31.138.0/25

Inbound

IPv4

TCP

22122

Source: 183.232.25.208/28

The four inbound rules have the same port, type, and protocol but different source IP addresses. In this case, you can use an IP address group to reconfigure the security group rules.

Procedure

Create an IP address group.

  1. Log in to the management console.
  2. Click in the upper left corner and select the desired region and project.
  3. Under Networking, click Virtual Private Cloud.
  4. In the navigation pane on the left, choose Access Control > IP Address Groups.
  5. Click Create IP Address Group.
  6. Set the parameters.
    • Name: ipGroup-A
    • IP Address:

      11.19.255.64/30

      113.31.128.252/30

      113.31.138.0/25

      183.232.25.208/28

      Figure 1 Creating an IP address group
  7. Click OK.

Configure a security group rule.

  1. In the navigation pane on the left, choose Access Control > Security Groups.
  2. Locate security group A and click Manage Rule in the Operation column.
  3. Under Inbound Rules, click Add Rule.
  4. Set the parameters.
    • Protocol & Port: TCP and 22122
    • Type: IPv4
    • Source: ipGroup-A
      Figure 2 Configuring a security group rule
  5. Click OK.

Delete old security group rules.

  1. Delete four old security group rules after the configured security group rule takes effect.