| <?xml version='1.0' encoding='utf-8' ?> |
| <!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [ |
| <!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent"> |
| %BOOK_ENTITIES; |
| ]> |
| <!-- Licensed to the Apache Software Foundation (ASF) under one |
| or more contributor license agreements. See the NOTICE file |
| distributed with this work for additional information |
| regarding copyright ownership. The ASF licenses this file |
| to you under the Apache License, Version 2.0 (the |
| "License"); you may not use this file except in compliance |
| with the License. You may obtain a copy of the License at |
| http://www.apache.org/licenses/LICENSE-2.0 |
| Unless required by applicable law or agreed to in writing, |
| software distributed under the License is distributed on an |
| "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| KIND, either express or implied. See the License for the |
| specific language governing permissions and limitations |
| under the License. |
| --> |
| <section id="add-ingress-egress-rules"> |
| <title>Adding Ingress and Egress Rules to a Security Group</title> |
| <orderedlist> |
| <listitem> |
| <para>Log in to the &PRODUCT; UI as an administrator or end user. </para> |
| </listitem> |
| <listitem> |
| <para>In the left navigation, choose Network</para> |
| </listitem> |
| <listitem> |
| <para>In Select view, choose Security Groups, then click the security group you want .</para> |
| </listitem> |
| <listitem> |
| <para>To add an ingress rule, click the Ingress Rules tab and fill out the following fields to |
| specify what network traffic is allowed into VM instances in this security group. If no |
| ingress rules are specified, then no traffic will be allowed in, except for responses to any |
| traffic that has been allowed out through an egress rule.</para> |
| <itemizedlist> |
| <listitem> |
| <para><emphasis role="bold">Add by CIDR/Account</emphasis>. Indicate whether the source of |
| the traffic will be defined by IP address (CIDR) or an existing security group in a |
| &PRODUCT; account (Account). Choose Account if you want to allow incoming traffic from |
| all VMs in another security group</para> |
| </listitem> |
| <listitem> |
| <para><emphasis role="bold">Protocol</emphasis>. The networking protocol that sources will |
| use to send traffic to the security group. TCP and UDP are typically used for data |
| exchange and end-user communications. ICMP is typically used to send error messages or |
| network monitoring data.</para> |
| </listitem> |
| <listitem> |
| <para><emphasis role="bold">Start Port, End Port</emphasis>. (TCP, UDP only) A range of |
| listening ports that are the destination for the incoming traffic. If you are opening a |
| single port, use the same number in both fields.</para> |
| </listitem> |
| <listitem> |
| <para><emphasis role="bold">ICMP Type, ICMP Code</emphasis>. (ICMP only) The type of |
| message and error code that will be accepted.</para> |
| </listitem> |
| <listitem> |
| <para><emphasis role="bold">CIDR</emphasis>. (Add by CIDR only) To accept only traffic |
| from IP addresses within a particular address block, enter a CIDR or a comma-separated |
| list of CIDRs. The CIDR is the base IP address of the incoming traffic. For example, |
| 192.168.0.0/22. To allow all CIDRs, set to 0.0.0.0/0.</para> |
| </listitem> |
| <listitem> |
| <para><emphasis role="bold">Account, Security Group</emphasis>. (Add by Account only) To |
| accept only traffic from another security group, enter the &PRODUCT; account and name of |
| a security group that has already been defined in that account. To allow traffic between |
| VMs within the security group you are editing now, enter the same name you used in step |
| 7.</para> |
| </listitem> |
| </itemizedlist> |
| <para>The following example allows inbound HTTP access from anywhere:</para> |
| <mediaobject> |
| <imageobject> |
| <imagedata fileref="./images/http-access.png"/> |
| </imageobject> |
| <textobject> |
| <phrase>httpaccess.png: allows inbound HTTP access from anywhere</phrase> |
| </textobject> |
| </mediaobject> |
| </listitem> |
| <listitem> |
| <para>To add an egress rule, click the Egress Rules tab and fill out the following fields to |
| specify what type of traffic is allowed to be sent out of VM instances in this security |
| group. If no egress rules are specified, then all traffic will be allowed out. Once egress |
| rules are specified, the following types of traffic are allowed out: traffic specified in |
| egress rules; queries to DNS and DHCP servers; and responses to any traffic that has been |
| allowed in through an ingress rule</para> |
| <itemizedlist> |
| <listitem> |
| <para><emphasis role="bold">Add by CIDR/Account</emphasis>. Indicate whether the |
| destination of the traffic will be defined by IP address (CIDR) or an existing security |
| group in a &PRODUCT; account (Account). Choose Account if you want to allow outgoing |
| traffic to all VMs in another security group.</para> |
| </listitem> |
| <listitem> |
| <para><emphasis role="bold">Protocol</emphasis>. The networking protocol that VMs will use |
| to send outgoing traffic. TCP and UDP are typically used for data exchange and end-user |
| communications. ICMP is typically used to send error messages or network monitoring |
| data.</para> |
| </listitem> |
| <listitem> |
| <para><emphasis role="bold">Start Port, End Port</emphasis>. (TCP, UDP only) A range of |
| listening ports that are the destination for the outgoing traffic. If you are opening a |
| single port, use the same number in both fields.</para> |
| </listitem> |
| <listitem> |
| <para><emphasis role="bold">ICMP Type, ICMP Code</emphasis>. (ICMP only) The type of |
| message and error code that will be sent</para> |
| </listitem> |
| <listitem> |
| <para><emphasis role="bold">CIDR</emphasis>. (Add by CIDR only) To send traffic only to IP |
| addresses within a particular address block, enter a CIDR or a comma-separated list of |
| CIDRs. The CIDR is the base IP address of the destination. For example, 192.168.0.0/22. |
| To allow all CIDRs, set to 0.0.0.0/0.</para> |
| </listitem> |
| <listitem> |
| <para><emphasis role="bold">Account, Security Group</emphasis>. (Add by Account only) To |
| allow traffic to be sent to another security group, enter the &PRODUCT; account and name |
| of a security group that has already been defined in that account. To allow traffic |
| between VMs within the security group you are editing now, enter its name.</para> |
| </listitem> |
| </itemizedlist> |
| </listitem> |
| <listitem> |
| <para>Click Add.</para> |
| </listitem> |
| </orderedlist> |
| </section> |