Updated on 2022-03-04 GMT+08:00

O&M Border

The management zone does not need to communicate with the public network. Therefore, you only need to configure ACL rules between the management zone and IDCs.

Security Policies

As shown in Figure 2, network ACL NACL-PRD-MGMT is associated with the subnet for the management zone in the production environment. Configure inbound rules of network ACL NACL-PRD-MGMT to control access from IDCs to the production environment, allowing access to management ports (such as ports 22 and 3389) in the management zone.

IP addresses and ports in this section are only used as examples. If there are other management ports, you can add ACL rules as required.

Table 1 Inbound rules of network ACL NACL-PRD-MGMT

Rule

Source IP Address

Protocol

Destination Port

Allow or Deny

Description

For the administrator

A subnet (subnet a) in an IDC

TCP

22

Allow

Allows the administrator of a subnet (subnet a) in an IDC to access VMs in the management zone in the production environment.

For the administrator

A subnet (subnet a) in an IDC

TCP

3389

Allow

Allows the administrator of a subnet (subnet a) in an IDC to access VMs in the management zone in the production environment.

*

0.0.0.0/0

Any

Any

Deny

Denies all inbound traffic that is not processed based on preset rules.

Table 2 Outbound rules of network ACL NACL-PRD-MGMT

Rule

Destination IP Address

Protocol

Destination Port

Allow or Deny

Description

1

0.0.0.0/0

Any

Any

Allow

Allows all outbound traffic from the management zone.

*

0.0.0.0/0

Any

Any

Deny

Denies all outbound traffic that is not processed based on preset rules.

Security Services

With enterprise security practices considered, bastion hosts are used to free O&M and operations personnel from using system usernames and passwords (usernames and passwords for all system components are stored in the bastion host system). The rights of O&M operations performed through bastion hosts are controlled. The rights of high-risk operations are limited. The whole process of O&M operations is recorded and audited so that each event is monitorable and traceable. Bastion hosts are deployed in the form of ECSs in the subnet for the management zone.