Help Center/ Scalable File Service/ FAQs/ Networks/ Does the Security Group of a VPC Affect the Use of SFS?
Updated on 2024-11-15 GMT+08:00

Does the Security Group of a VPC Affect the Use of SFS?

A security group is a collection of access control rules for cloud servers that have the same security protection requirements and are mutually trusted in a VPC. After a security group is created, you can create different access rules for the security group to protect the cloud servers that are added to this security group. The default security group rule allows all outgoing data packets. Cloud servers in a security group can access each other without the need to add rules. The system creates a security group for each cloud account by default. Users can also create custom security groups by themselves.

For an SFS Turbo file system, the system automatically enables the security group ports required by the NFS protocol after the file system is created. This ensures that the SFS Turbo file system can be successfully mounted to your servers. The inbound ports required by the NFS protocol are ports 111, 2049, 2051, 2052, and 20048. If you need to change the enabled ports, go to the VPC console, choose Access Control > Security Groups, locate the target security group, and change the ports. You are advised to use an independent security group for an SFS Turbo file system to isolate it from service nodes.

For a general purpose file system, you need to manually add the inbound and outbound rules for the security group. For details, see section "Adding a Security Group Rule" in the Virtual Private Cloud User Guide. The inbound ports required by the NFS protocol are ports 111, 2049, and 2050.

For an SFS Capacity-Oriented file system, you need to manually add inbound and outbound rules for the security group. For details, see Adding a Security Group Rule. For an SFS Capacity-Oriented file system, the inbound ports required by the NFS protocol are ports 111, 2049, 2050, 2051, and 2052. The inbound port required by the DNS server is port 53 and those required by the CIFS protocol are ports 445 and 135.

Example Configuration

  • Inbound rule

    Direction

    Protocol

    Port Range

    Source IP Address

    Description

    Inbound

    TCP and UDP

    111

    IP Address

    0.0.0.0/0 (All IP addresses are allowed. It can be modified.)

    One port corresponds to one access rule. You need to add information to the ports one by one.

  • Outbound rule

    Direction

    Protocol

    Port Range

    Source IP Address

    Description

    Outbound

    TCP and UDP

    111

    IP Address

    0.0.0.0/0 (All IP addresses are allowed. It can be modified.)

    One port corresponds to one access rule. You need to add information to the ports one by one.

    Enter an IP address range using a mask. For example, enter 192.168.1.0/24, and do not enter 192.168.1.0-192.168.1.255. If the source IP address is 0.0.0.0/0, all IP addresses are allowed. For more information, see Security Groups and Security Group Rules.

    The bidirectional access rule must be configured for port 111. The inbound rule can be set to the front-end service IP range of SFS. You can obtain it by running the following command: ping File system domain name or IP address or dig File system domain name or IP address.

    For ports 2049, 2050, 2051, and 2052, only the outbound rule needs to be added, which is the same as the outbound rule of port 111.

    If the NFS protocol is used, add inbound rules for the following ports: 111 (TCP and UDP), 2049 (TCP), 2051 (TCP), 2052 (TCP), 20048 (UDP and TCP). If UDP is not enabled on port 20048, mounting the file system may take a long time. You can use the -o tcp option in the mount command to avoid this issue.