source/networking/security_groups.rst - cloudstack-docs-admin - Git at Google

 .. Licensed to the Apache Software Foundation (ASF) under one
    or more contributor license agreements.  See the NOTICE file
    distributed with this work for additional information#
    regarding copyright ownership.  The ASF licenses this file
    to you under the Apache License, Version 2.0 (the
    "License"); you may not use this file except in compliance
    with the License.  You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
    Unless required by applicable law or agreed to in writing,
    software distributed under the License is distributed on an
    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
    KIND, either express or implied.  See the License for the
    specific language governing permissions and limitations
    under the License.


 Security Groups
 ---------------

 About Security Groups
 ~~~~~~~~~~~~~~~~~~~~~

 Security groups provide a way to isolate traffic to VMs. A security
 group is a group of VMs that filter their incoming and outgoing traffic
 according to a set of rules, called ingress and egress rules. These
 rules filter network traffic according to the IP address that is
 attempting to communicate with the VM. Security groups are particularly
 useful in zones that use basic networking, because there is a single
 guest network for all guest VMs. In advanced zones, security groups are
 supported only on the KVM hypervisor.

 .. note::
    In a zone that uses advanced networking, you can instead define
    multiple guest networks to isolate traffic to VMs.

 Each CloudStack account comes with a default security group that denies
 all inbound traffic and allows all outbound traffic. The default
 security group can be modified so that all new VMs inherit some other
 desired set of rules.

 Any CloudStack user can set up any number of additional security groups.
 When a new VM is launched, it is assigned to the default security group
 unless another user-defined security group is specified. A VM can be a
 member of any number of security groups. Once a VM is assigned to a
 security group, it remains in that group for its entire lifetime; you
 can not move a running VM from one security group to another.

 You can modify a security group by deleting or adding any number of
 ingress and egress rules. When you do, the new rules apply to all VMs in
 the group, whether running or stopped.

 If no ingress rules are specified, then no traffic will be allowed in,
 except for responses to any traffic that has been allowed out through an
 egress rule.


 Adding a Security Group
 ~~~~~~~~~~~~~~~~~~~~~~~

 A user or administrator can define a new security group.

 #. Log in to the CloudStack UI as an administrator or end user.

 #. In the left navigation, choose Network.

 #. In Select view, choose Security Groups.

 #. Click Add Security Group.

 #. Provide a name and description.

 #. Click OK.

    The new security group appears in the Security Groups Details tab.

 #. To make the security group useful, continue to Adding Ingress and
    Egress Rules to a Security Group.


 Security Groups in Advanced Zones (KVM Only)
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 CloudStack provides the ability to use security groups to provide
 isolation between guests on a single shared, zone-wide network in an
 advanced zone where KVM is the hypervisor. Using security groups in
 advanced zones rather than multiple VLANs allows a greater range of
 options for setting up guest isolation in a cloud.


 Limitations
 ^^^^^^^^^^^

 The following are not supported for this feature:

 -  Two IP ranges with the same VLAN and different gateway or netmask in
    security group-enabled shared network.

 -  Two IP ranges with the same VLAN and different gateway or netmask in
    account-specific shared networks.

 -  Multiple VLAN ranges in security group-enabled shared network.

 -  Multiple VLAN ranges in account-specific shared networks.

 Security groups must be enabled in the zone in order for this feature to
 be used.


 Enabling Security Groups
 ~~~~~~~~~~~~~~~~~~~~~~~~

 In order for security groups to function in a zone, the security groups
 feature must first be enabled for the zone. The administrator can do
 this when creating a new zone, by selecting a network offering that
 includes security groups. The procedure is described in Basic Zone
 Configuration in the Advanced Installation Guide. The administrator can
 not enable security groups for an existing zone, only when creating a
 new zone.


 Adding Ingress and Egress Rules to a Security Group
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 #. Log in to the CloudStack UI as an administrator or end user.

 #. In the left navigation, choose Network

 #. In Select view, choose Security Groups, then click the security group
    you want.

 #. To add an ingress rule, click the Ingress Rules tab and fill out the
    following fields to specify what network traffic is allowed into VM
    instances in this security group. If no ingress rules are specified,
    then no traffic will be allowed in, except for responses to any
    traffic that has been allowed out through an egress rule.

    -  **Add by CIDR/Account**. Indicate whether the source of the
       traffic will be defined by IP address (CIDR) or an existing
       security group in a CloudStack account (Account). Choose Account
       if you want to allow incoming traffic from all VMs in another
       security group

    -  **Protocol**. The networking protocol that sources will use to
       send traffic to the security group. TCP and UDP are typically used
       for data exchange and end-user communications. ICMP is typically
       used to send error messages or network monitoring data.

    -  **Start Port, End Port**. (TCP, UDP only) A range of listening
       ports that are the destination for the incoming traffic. If you
       are opening a single port, use the same number in both fields.

    -  **ICMP Type, ICMP Code**. (ICMP only) The type of message and
       error code that will be accepted.

    -  **CIDR**. (Add by CIDR only) To accept only traffic from IP
       addresses within a particular address block, enter a CIDR or a
       comma-separated list of CIDRs. The CIDR is the base IP address of
       the incoming traffic. For example, 192.168.0.0/22. To allow all
       CIDRs, set to 0.0.0.0/0.

    -  **Account, Security Group**. (Add by Account only) To accept only
       traffic from another security group, enter the CloudStack account
       and name of a security group that has already been defined in that
       account. To allow traffic between VMs within the security group
       you are editing now, enter the same name you used in step 7.

    The following example allows inbound HTTP access from anywhere:

    |httpaccess.png|

 #. To add an egress rule, click the Egress Rules tab and fill out the
    following fields to specify what type of traffic is allowed to be
    sent out of VM instances in this security group. If no egress rules
    are specified, then all traffic will be allowed out. Once egress
    rules are specified, the following types of traffic are allowed out:
    traffic specified in egress rules; queries to DNS and DHCP servers;
    and responses to any traffic that has been allowed in through an
    ingress rule

    -  **Add by CIDR/Account**. Indicate whether the destination of the
       traffic will be defined by IP address (CIDR) or an existing
       security group in a CloudStack account (Account). Choose Account
       if you want to allow outgoing traffic to all VMs in another
       security group.

    -  **Protocol**. The networking protocol that VMs will use to send
       outgoing traffic. TCP and UDP are typically used for data exchange
       and end-user communications. ICMP is typically used to send error
       messages or network monitoring data.

    -  **Start Port, End Port**. (TCP, UDP only) A range of listening
       ports that are the destination for the outgoing traffic. If you
       are opening a single port, use the same number in both fields.

    -  **ICMP Type, ICMP Code**. (ICMP only) The type of message and
       error code that will be sent

    -  **CIDR**. (Add by CIDR only) To send traffic only to IP addresses
       within a particular address block, enter a CIDR or a
       comma-separated list of CIDRs. The CIDR is the base IP address of
       the destination. For example, 192.168.0.0/22. To allow all CIDRs,
       set to 0.0.0.0/0.

    -  **Account, Security Group**. (Add by Account only) To allow
       traffic to be sent to another security group, enter the CloudStack
       account and name of a security group that has already been defined
       in that account. To allow traffic between VMs within the security
       group you are editing now, enter its name.

 #. Click Add.


 .. |httpaccess.png| image:: /_static/images/http-access.png
    :alt: allows inbound HTTP access from anywhere.
	.. Licensed to the Apache Software Foundation (ASF) under one
	or more contributor license agreements. See the NOTICE file
	distributed with this work for additional information#
	regarding copyright ownership. The ASF licenses this file
	to you under the Apache License, Version 2.0 (the
	"License"); you may not use this file except in compliance
	with the License. You may obtain a copy of the License at
	http://www.apache.org/licenses/LICENSE-2.0
	Unless required by applicable law or agreed to in writing,
	software distributed under the License is distributed on an
	"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	KIND, either express or implied. See the License for the
	specific language governing permissions and limitations
	under the License.


	Security Groups
	---------------

	About Security Groups
	~~~~~~~~~~~~~~~~~~~~~

	Security groups provide a way to isolate traffic to VMs. A security
	group is a group of VMs that filter their incoming and outgoing traffic
	according to a set of rules, called ingress and egress rules. These
	rules filter network traffic according to the IP address that is
	attempting to communicate with the VM. Security groups are particularly
	useful in zones that use basic networking, because there is a single
	guest network for all guest VMs. In advanced zones, security groups are
	supported only on the KVM hypervisor.

	.. note::
	In a zone that uses advanced networking, you can instead define
	multiple guest networks to isolate traffic to VMs.

	Each CloudStack account comes with a default security group that denies
	all inbound traffic and allows all outbound traffic. The default
	security group can be modified so that all new VMs inherit some other
	desired set of rules.

	Any CloudStack user can set up any number of additional security groups.
	When a new VM is launched, it is assigned to the default security group
	unless another user-defined security group is specified. A VM can be a
	member of any number of security groups. Once a VM is assigned to a
	security group, it remains in that group for its entire lifetime; you
	can not move a running VM from one security group to another.

	You can modify a security group by deleting or adding any number of
	ingress and egress rules. When you do, the new rules apply to all VMs in
	the group, whether running or stopped.

	If no ingress rules are specified, then no traffic will be allowed in,
	except for responses to any traffic that has been allowed out through an
	egress rule.


	Adding a Security Group
	~~~~~~~~~~~~~~~~~~~~~~~

	A user or administrator can define a new security group.

	#. Log in to the CloudStack UI as an administrator or end user.

	#. In the left navigation, choose Network.

	#. In Select view, choose Security Groups.

	#. Click Add Security Group.

	#. Provide a name and description.

	#. Click OK.

	The new security group appears in the Security Groups Details tab.

	#. To make the security group useful, continue to Adding Ingress and
	Egress Rules to a Security Group.


	Security Groups in Advanced Zones (KVM Only)
	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

	CloudStack provides the ability to use security groups to provide
	isolation between guests on a single shared, zone-wide network in an
	advanced zone where KVM is the hypervisor. Using security groups in
	advanced zones rather than multiple VLANs allows a greater range of
	options for setting up guest isolation in a cloud.


	Limitations
	^^^^^^^^^^^

	The following are not supported for this feature:

	- Two IP ranges with the same VLAN and different gateway or netmask in
	security group-enabled shared network.

	- Two IP ranges with the same VLAN and different gateway or netmask in
	account-specific shared networks.

	- Multiple VLAN ranges in security group-enabled shared network.

	- Multiple VLAN ranges in account-specific shared networks.

	Security groups must be enabled in the zone in order for this feature to
	be used.


	Enabling Security Groups
	~~~~~~~~~~~~~~~~~~~~~~~~

	In order for security groups to function in a zone, the security groups
	feature must first be enabled for the zone. The administrator can do
	this when creating a new zone, by selecting a network offering that
	includes security groups. The procedure is described in Basic Zone
	Configuration in the Advanced Installation Guide. The administrator can
	not enable security groups for an existing zone, only when creating a
	new zone.


	Adding Ingress and Egress Rules to a Security Group
	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

	#. Log in to the CloudStack UI as an administrator or end user.

	#. In the left navigation, choose Network

	#. In Select view, choose Security Groups, then click the security group
	you want.

	#. To add an ingress rule, click the Ingress Rules tab and fill out the
	following fields to specify what network traffic is allowed into VM
	instances in this security group. If no ingress rules are specified,
	then no traffic will be allowed in, except for responses to any
	traffic that has been allowed out through an egress rule.

	- Add by CIDR/Account. Indicate whether the source of the
	traffic will be defined by IP address (CIDR) or an existing
	security group in a CloudStack account (Account). Choose Account
	if you want to allow incoming traffic from all VMs in another
	security group

	- Protocol. The networking protocol that sources will use to
	send traffic to the security group. TCP and UDP are typically used
	for data exchange and end-user communications. ICMP is typically
	used to send error messages or network monitoring data.

	- Start Port, End Port. (TCP, UDP only) A range of listening
	ports that are the destination for the incoming traffic. If you
	are opening a single port, use the same number in both fields.

	- ICMP Type, ICMP Code. (ICMP only) The type of message and
	error code that will be accepted.

	- CIDR. (Add by CIDR only) To accept only traffic from IP
	addresses within a particular address block, enter a CIDR or a
	comma-separated list of CIDRs. The CIDR is the base IP address of
	the incoming traffic. For example, 192.168.0.0/22. To allow all
	CIDRs, set to 0.0.0.0/0.

	- Account, Security Group. (Add by Account only) To accept only
	traffic from another security group, enter the CloudStack account
	and name of a security group that has already been defined in that
	account. To allow traffic between VMs within the security group
	you are editing now, enter the same name you used in step 7.

	The following example allows inbound HTTP access from anywhere:

	\|httpaccess.png\|

	#. To add an egress rule, click the Egress Rules tab and fill out the
	following fields to specify what type of traffic is allowed to be
	sent out of VM instances in this security group. If no egress rules
	are specified, then all traffic will be allowed out. Once egress
	rules are specified, the following types of traffic are allowed out:
	traffic specified in egress rules; queries to DNS and DHCP servers;
	and responses to any traffic that has been allowed in through an
	ingress rule

	- Add by CIDR/Account. Indicate whether the destination of the
	traffic will be defined by IP address (CIDR) or an existing
	security group in a CloudStack account (Account). Choose Account
	if you want to allow outgoing traffic to all VMs in another
	security group.

	- Protocol. The networking protocol that VMs will use to send
	outgoing traffic. TCP and UDP are typically used for data exchange
	and end-user communications. ICMP is typically used to send error
	messages or network monitoring data.

	- Start Port, End Port. (TCP, UDP only) A range of listening
	ports that are the destination for the outgoing traffic. If you
	are opening a single port, use the same number in both fields.

	- ICMP Type, ICMP Code. (ICMP only) The type of message and
	error code that will be sent

	- CIDR. (Add by CIDR only) To send traffic only to IP addresses
	within a particular address block, enter a CIDR or a
	comma-separated list of CIDRs. The CIDR is the base IP address of
	the destination. For example, 192.168.0.0/22. To allow all CIDRs,
	set to 0.0.0.0/0.

	- Account, Security Group. (Add by Account only) To allow
	traffic to be sent to another security group, enter the CloudStack
	account and name of a security group that has already been defined
	in that account. To allow traffic between VMs within the security
	group you are editing now, enter its name.

	#. Click Add.


	.. \|httpaccess.png\| image:: /_static/images/http-access.png
	:alt: allows inbound HTTP access from anywhere.