Help Center/ Cloud Bastion Host/ FAQs/ About Purchase/ How Do I Configure a Security Group for a CBH Instance?
Updated on 2024-09-04 GMT+08:00

How Do I Configure a Security Group for a CBH Instance?

Background

A security group is a logical group. It provides access control policies for the ECSs and CBH instances that are trustful to each other and have the same security protection requirements in a VPC.

To ensure CBH instance security and reliability, configure security group rules to allow specific IP addresses and ports to access the resources.

  • A CBH instance and its managed resources can share the same security group and use their own security group rules.
  • The default security group Sys-default is created for each user. You can select Sys-default and add security group rules as needed. Alternatively, you can create another security group and add security group rules to meet your business needs.
  • After a CBH instance is created, its security groups can be modified. You can configure up to five security group rules for it. For details, see Changing Security Groups.
  • For CBH to access resources it manages, configure the security group rules for resources such as ECSs and RDS DB instances to enable the necessary gateway IP address and port and allow the private IP address of CBH. For details, see ECS Security Group Configuration.
  • The CBH instance is running properly. For details about how to configure the instance and resource security group ports, see How Can I Configure Ports for a Bastion Host?

Configuring a Security Group for a CBH Instance

  1. Log in to the management console and switch to the CBH console.
  2. Click Purchase CBH Instance to go to the Purchase CBH Instance page.
  3. Click Manage Security Groups on the right of Security Group. On the displayed page, create a security group and add security group rules.

    You can also select a security group from the Security Group drop-down list.

  4. On the displayed page, click Create Security Group and create a security group. For details, see Creating a Security Group.
  5. After the security group is created, on the displayed Security Groups page, locate the row where the created security group resides and click Manage Rule in the Operation column. For details, see Adding a Security Group Rule.
  6. On the displayed page, select the Inbound Rules tab, and then click Add Rule. Similarly, you can add outbound rules.

    Configure security rules based on the networking scenario of CBH. For details, see Table 1.

  7. After the security group rules are configured, return to the Purchase CBH Instance page, select a security group, and specify other required parameters.

Faults Caused by Improper Security Group Configurations

Improper security group configurations can lead to the following faults:

  1. Instance license authentication failure
    • The instance fails to be created, and a message is displayed indicating that the license fails to be activated. The possible cause is that the outbound TCP port 9443 is not configured. As a result, the network is disconnected and the license authentication cannot be obtained.
    • When a user logs in to a CBH instance, the system displays a message indicating that the license has expired. This is because the outbound TCP port 9443 is not configured. As a result, the network is disconnected and the license authentication cannot be obtained.
  2. CBH system login failure
    • The CBH login page fails to be loaded, and a message is displayed indicating that the server response time is too long. The possible cause is that the inbound TCP port 443 is not enabled.
    • The CBH system page cannot be displayed properly. The possible cause is that the inbound TCP port 443 is not enabled. As a result, the CBH system cannot be logged in to through a web browser.
  3. Host verification failure
    • The system displays a message indicating that the host is unreachable when a host resource is added in to the CBH system. The possible cause is that the inbound TCP port 3389 is not enabled. As a result, the host cannot be remotely connected.
    • The system displays a message indicating that the host is unreachable during the account and password verification. The possible cause is that the inbound Internet Control Message Protocol (ICMP) is not configured. As a result, the host cannot be pinged from the external network.
  4. Errors in Accessing Resources from CBH
    • A connection failure occurs during login. The possible cause is that the inbound TCP port 3389 is not configured. As a result, the host cannot be remotely connected.
    • A black screen is displayed during host login. The possible cause is that the inbound TCP port 3389 is not configured. As a result, the host cannot be remotely connected.
    • If error T_514 is reported when a CBH instance is running, TCP port 2222 may not be enabled in the inbound rules. Error 514 indicates that the connection is disconnected because the server does not respond for a long time and the system asks you to check your network connection and try again.