Help Center/ Scalable File Service Turbo/ FAQs/ Networks/ Does the Security Group of a VPC Affect the Use of SFS Turbo?

Updated on 2024-11-05 GMT+08:00

View PDF

Does the Security Group of a VPC Affect the Use of SFS Turbo?

A security group is a collection of access control rules for cloud servers that have the same security protection requirements and are mutually trusted in a VPC. After a security group is created, you can create different access rules for the security group to protect the cloud servers that are added to this security group. The default security group rule allows all outgoing data packets. Cloud servers in a security group can access each other without the need to add rules. The system creates a security group for each cloud account by default. You can also create custom security groups by yourself.

For an SFS Turbo file system, the system automatically enables the security group ports required by NFS after the file system is created. This ensures that the SFS Turbo file system can be successfully mounted to your servers. The inbound ports required by NFS are ports 111, 2049, 2051, 2052, and 20048. If you need to change the enabled ports, go to the VPC console, choose Access Control > Security Groups, locate the target security group, and change the ports. You are advised to use an independent security group for an SFS Turbo file system to isolate it from service nodes.

Example Configuration

Inbound rule

Direction	Protocol	Port Range	Source IP Address		Description
Inbound	TCP and UDP	111	IP Address	0.0.0.0/0 (All IP addresses are allowed. It can be modified.)	One port corresponds to one access rule. You need to add rules for the ports one by one.

Outbound rule

Direction	Protocol	Port Range	Source IP Address		Description
Outbound	TCP and UDP	111	IP Address	0.0.0.0/0 (All IP addresses are allowed. It can be modified.)	One port corresponds to one access rule. You need to add rules for the ports one by one.

Enter an IP address range using a mask. For example, enter 192.168.1.0/24, and do not enter 192.168.1.0-192.168.1.255. If the source IP address is 0.0.0.0/0, all IP addresses are allowed. For more information, see Security Groups and Security Group Rules.

A bidirectional access rule must be configured for port 111. You can configure the frontend service IP address range of SFS Turbo as the inbound rule. Run ping File system domain name or IP address or dig File system domain name or IP address to obtain the IP address range.

For ports 2049, 2051, 2052, and 20048, outbound rules need to be added, which are the same as the outbound rule of port 111.

If NFS is used, add inbound rules for the following ports: 111 (TCP and UDP), 2049 (TCP and UDP), 2051 (TCP), 2052 (TCP), 20048 (UDP and TCP). If UDP is not enabled on port 2049 and 20048, mounting the file system may take a long time. You can use the -o tcp option in the mount command to avoid this issue.

Parent topic: Networks

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot