Help Center/ Huawei Cloud Flexus/ User Guide/ FlexusX/ Managing Security Groups/ Configuring Security Group Rules
Updated on 2024-07-16 GMT+08:00
View PDF
Share

Configuring Security Group Rules

Scenarios

Similar to firewall, a security group is used to control network access. You can define access rules for a security group to protect the FlexusX instances in the group.

  • Inbound rules allow or deny incoming network traffic to FlexusX instances in the security group.
  • Outbound rules allow or deny outgoing network traffic from FlexusX instances in the security group.

Procedure

  1. Log in to the FlexusX console, in the upper left corner, click , and select a region and project.
  2. On the FlexusX Instances page, locate the target FlexusX instance and click its name.

    The details page of this instance is displayed.

  3. On the detailed page, click the Security Groups tab and view security group rules.
  4. Click Manage Rule.

    The page for configuring security group rules is displayed.

  5. On the Inbound Rules tab, click Add Rule.

    The Add Inbound Rule dialog box is displayed.

  6. Configure required parameters.

    You can click + to add more inbound rules. For details about the parameters, see Adding a Security Group Rule.

    Figure 1 Adding an inbound rule
  7. On the Outbound Rules tab, click Add Rule.

    The Add Outbound Rule dialog box is displayed.

  8. Configure required parameters.

    You can click + to add more outbound rules. For details about the parameters, see Adding a Security Group Rule.

  9. Click OK.

Verifying Security Group Rules

After adding inbound and outbound rules, you can verify whether the rules have been applied. Assume that you have deployed a website on a FlexusX instance. To enable users to access your website through HTTP (80), you need to add an inbound rule to the security group of the FlexusX instance to allow access over this port. Table 1 shows the rule details.

Table 1 The security group rule

Direction

Protocol/Application

Port

Source

Inbound

TCP

80

0.0.0.0/0

Linux

If the instance runs Linux, perform the following operations to verify whether the security group rule has been applied:

  1. Log in to the FlexusX instance.
  2. Check whether TCP port 80 is listened on:

    netstat -an | grep 80

    If command output shown in Figure 2 is displayed, TCP port 80 is listened on.

    Figure 2 Command output for the Linux FlexusX instance
  3. Enter http://EIP bound to the FlexusX instance in the address box of the browser and press Enter.

    If the requested page can be accessed, the security group rule has taken effect.

Impacts of Deleting Common Security Group Rules

On the Inbound Rules and Outbound Rules tabs, you can also modify, replicate, or delete existing rules.

Deleting security group rules will disable some functions.

  • If you delete a rule with Protocol & Port specified as TCP: 20-21, you will not be able to upload files to or download files from servers using FTP.
  • If you delete a rule with Protocol & Port specified as ICMP: All, you will not be able to ping the servers.
  • If you delete a rule with Protocol & Port specified as TCP: 443, you will not be able to connect to websites on the servers using HTTPS.
  • If you delete a rule with Protocol & Port specified as TCP: 80, you will not be able to connect to websites on servers using HTTP.
  • If you delete a rule with Protocol & Port specified as TCP: 22, you will not be able to remotely connect to Linux server using SSH.
  • If you delete a rule with Protocol & Port specified as TCP: 3389, you will not be able to remotely connect to Windows server using RDP.
Parent Topic: Managing Security Groups