Help Center> Scalable File Service> FAQs> Networks> Does the Security Group of a VPC Affect SFS?

Updated on 2023-07-26 GMT+08:00

View PDF

Does the Security Group of a VPC Affect SFS?

A security group is a collection of access control rules for servers that have the same security protection requirements and are mutually trusted in a VPC. After a security group is created, you can create different access rules for the security group to protect the servers that are added to this security group. The default security group rule allows all outgoing data packets. Servers in a security group can access each other without the need to add rules. The system creates a security group for each cloud account by default. Users can also create custom security groups by themselves.

After an SFS Turbo file system is created, the system automatically enables the security group port required by the NFS protocol. This ensures that the SFS Turbo file system can be accessed by your servers and prevents file system mounting failures. The inbound ports required by the NFS protocol are ports 111, 445, 2049, 2051, 2052, and 20048. If you need to change the enabled ports, choose Access Control > Security Groups of the VPC console and locate the target security group.

You are advised to use an independent security group for an SFS Turbo file system to isolate it from service nodes.

You need to add inbound and outbound rules for the security group of an SFS Capacity-Oriented file system. For details, see Adding a Security Group Rule. In an SFS Capacity-Oriented file system, the inbound ports required by the NFS protocol are ports 111, 2049, 2051, and 2052. The inbound port required by the DNS server is port 53 and that required by the CIFS protocol is port 445.

Example Value

Inbound rule

Direction	Protocol	Port Range	Source IP Address		Description
Inbound	TCP and UDP	111	IP Address	0.0.0.0/0 (configurable)	One port corresponds to one access rule. You need to add information to the ports one by one.

Outbound rule

Direction	Protocol	Port Range	Source IP Address		Description
Outbound	TCP and UDP	111	IP Address	0.0.0.0/0 (configurable)	One port corresponds to one access rule. You need to add information to the ports one by one.

The bidirectional access rule must be configured for port 111. The inbound rule can be set to the front-end service IP range of SFS. You can obtain it by running the following command: ping File system domain name or IP address or dig File system domain name or IP address.

For ports 2049, 2050, 2051, and 2052, only the outbound rule needs to be added, which is the same as the outbound rule of port 111.

For the NFS protocol, add an inbound rule to open the TCP&UDP port 111, TCP ports 2049, 2051, and 2052, and UDP&TCP port 20048. For the SMB protocol, add an inbound rule to open TCP port 445.

For the NFS protocol with UDP port 20048 not opened, the time required for mounting may become longer. In this case, you can use the -o tcp option in mount to avoid this issue.

Parent topic: Networks

Networks FAQs

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot

more