Access Control of Back-end CVMs

Last updated: 2020-02-26 17:31:08

PDF

Brief introduction of CVM Security Group

Cloud Load Balancer's backend Cloud Virtual Machine example can be accessed through Security Group Access control, play the role of a firewall.
You can combine one or more security groups with backend Cloud Virtual Machine and Associate, and add one or more rules to each security group to control Traffic, Access and Permission of different servers. You can modify the rules of a security group at any time, and the new rules are automatically applied to all instances of the security group Associate. For more information, see Security team Operation Guide . In Virtual Private Cloud In the environment, you can also use the Network ACL Under the control of Access.

CVM Security Group configuration description

The client IP and service port need to be opened to the internet in the CVM security group.
If you want to use CLB to forward business traffic to CVM, the CVM security group should be configured as follows to ensure effective health checks:

  1. Public network CLB: You need to open the CLB VIP to the internet on the backend CVM security group, so that CLB can use the VIP to detect the backend CVM health status.
  2. Private network CLB:
  • For private network CLB, if your CLB instance is in a VPC, the CLB VIP needs to be opened to the internet in the backend CVM security group for health checks; if your CLB instance is in a basic network, no additional configuration is needed as the health check IP is opened to the internet by default.
  • For private network classic CLB, if your CLB instance was created before December 5, 2016 and is in a VPC, the CLB VIP needs to be opened to the internet (for health checks) in the backend CVM security group; otherwise, no configuration is required.

Example of CVM security group configuration

The following example is an example of the configuration of the CVM security group when passing CLB Access CVM. If you also configure security groups on CLB, please refer to Configure CLB Security Groups to configure security group rules on CLB.

  • Application scenario 1:
    If the public network-based load balancer listener is configured with TCP: listener 80 and backend server port: 8080, and only client IPs (clientA IP and clientB IP) are allowed to access the load balancer, configure the security group inbound rules of the backend server as follows:
ClientA IP + 8080 allow
ClientB IP + 8080 allow
CLB VIP    + 8080 allow
0.0.0.0/0  + 8080 drop
  • Application scenario 2:
    If the public network-based LB listener is configured with HTTP: listener 80 and backend server port: 8080, and all client IPs are allowed to access the LB, configure the security group inbound rules of the backend server as follows:
0.0.0.0/0 + 8080 allow
  • Application scenario 3:
    Private network Cloud Load Balancer (formerly "application-oriented private network Cloud Load Balancer"), the network type is VPC network. In the security group of CVM, you need the VIP of Open to Internet CLB to be Health check. Configure TCP:80 listener for the CLB. The backend service port is 8080. You want to allow only Client IP (ClientA IP and the VIP, of ClientB IP) Access and Cloud Load Balancer, and you want to limit Client IP to backend hosts bound to this CLB by Access.
    a. The inbound rules of real server security group are configured as follows:
ClientA IP + 8080 allow
ClientB IP + 8080 allow
CLB VIP    + 8080 allow
0.0.0.0/0  + 8080 drop

b. The server security group outbound rules used as Client are configured as follows:

CLB VIP    + 8080 allow
0.0.0.0/0  + 8080 drop
  • Application scenario 4:
    Traditional private network Cloud Load Balancer (after December 5, 16, Purchase's VPC network CLB), CVM security group only needs Open to Internet Client IP (without Open to Internet CLB's VIP, default Open to Internet Health check IP). Configure TCP:80 listener for the CLB. The backend service port is 8080. You want to allow only Client IP (ClientA IP and the VIP, of ClientB IP) Access and Cloud Load Balancer, and you want to limit Client IP to backend hosts bound to this CLB by Access.
    a. The inbound rules of real server security group are configured as follows:
ClientA IP + 8080 allow
ClientB IP + 8080 allow
0.0.0.0/0  + 8080 drop

b. The server security group outbound rules used as Client are configured as follows:

CLB VIP    + 8080 allow
0.0.0.0/0  + 8080 drop
  • Application scenario 5: Blacklist
    If you need to set a blacklist for some client IPs to deny their access requests, you can configure the security group associated with the cloud services. The security group rules need to be configured as follows:
  • Add the client IP and port from the access request that needs to be rejected to the security group, and select the option for rejecting access from the IP in the "Policy" column.
  • When the setting is made, add another security group rule that allows all access requests to the port from all IPs by default.
    When the configuration is completed, the security group rules are as follows:
clientA IP + port drop
clientB IP + port drop
0.0.0.0/0  + port accept
  • The above configuration steps should be performed in a correct order , otherwise the blacklist configuration cannot take effect.
  • Security groups are stateful. Therefore, the above configurations are used for inbound rules , and outbound rules do not need special configuration.

Operation instructions for CVM Security Group

Manage Backend Server Security Groups via Console

  1. Log in to the CLB Console And click the corresponding CLB instance ID to enter the CLB details page.
  2. On the Cloud Virtual Machine page bound to CLB, click the corresponding real server ID to enter the Cloud Virtual Machine details page.
  3. Click the Security Group tab to bind / Unbind security group.