en-US/add-ingress-egress-rules.xml - cloudstack-docs - Git at Google

 <?xml version='1.0' encoding='utf-8' ?>
 <!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
 <!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
 %BOOK_ENTITIES;
 ]>
 <!-- Licensed to the Apache Software Foundation (ASF) under one
 	or more contributor license agreements.  See the NOTICE file
 	distributed with this work for additional information
 	regarding copyright ownership. The ASF licenses this file
 	to you under the Apache License, Version 2.0 (the
 	"License"); you may not use this file except in compliance
 	with the License.  You may obtain a copy of the License at
 	http://www.apache.org/licenses/LICENSE-2.0
 	Unless required by applicable law or agreed to in writing,
 	software distributed under the License is distributed on an
 	"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 	KIND, either express or implied.  See the License for the
 	specific language governing permissions and limitations
 	under the License.
 -->
 <section id="add-ingress-egress-rules">
   <title>Adding Ingress and Egress Rules to a Security Group</title>
   <orderedlist>
     <listitem>
       <para>Log in to the &PRODUCT; UI as an administrator or end user. </para>
     </listitem>
     <listitem>
       <para>In the left navigation, choose Network</para>
     </listitem>
     <listitem>
       <para>In Select view, choose Security Groups, then click the security group you want .</para>
     </listitem>
     <listitem>
       <para>To add an ingress rule, click the Ingress Rules tab and fill out the following fields to
         specify what network traffic is allowed into VM instances in this security group. If no
         ingress rules are specified, then no traffic will be allowed in, except for responses to any
         traffic that has been allowed out through an egress rule.</para>
       <itemizedlist>
         <listitem>
           <para><emphasis role="bold">Add by CIDR/Account</emphasis>. Indicate whether the source of
             the traffic will be defined by IP address (CIDR) or an existing security group in a
             &PRODUCT; account (Account). Choose Account if you want to allow incoming traffic from
             all VMs in another security group</para>
         </listitem>
         <listitem>
           <para><emphasis role="bold">Protocol</emphasis>. The networking protocol that sources will
             use to send traffic to the security group. TCP and UDP are typically used for data
             exchange and end-user communications. ICMP is typically used to send error messages or
             network monitoring data.</para>
         </listitem>
         <listitem>
           <para><emphasis role="bold">Start Port, End Port</emphasis>. (TCP, UDP only) A range of
             listening ports that are the destination for the incoming traffic. If you are opening a
             single port, use the same number in both fields.</para>
         </listitem>
         <listitem>
           <para><emphasis role="bold">ICMP Type, ICMP Code</emphasis>. (ICMP only) The type of
             message and error code that will be accepted.</para>
         </listitem>
         <listitem>
           <para><emphasis role="bold">CIDR</emphasis>. (Add by CIDR only) To accept only traffic
             from IP addresses within a particular address block, enter a CIDR or a comma-separated
             list of CIDRs. The CIDR is the base IP address of the incoming traffic. For example,
             192.168.0.0/22. To allow all CIDRs, set to 0.0.0.0/0.</para>
         </listitem>
         <listitem>
           <para><emphasis role="bold">Account, Security Group</emphasis>. (Add by Account only) To
             accept only traffic from another security group, enter the &PRODUCT; account and name of
             a security group that has already been defined in that account. To allow traffic between
             VMs within the security group you are editing now, enter the same name you used in step
             7.</para>
         </listitem>
       </itemizedlist>
       <para>The following example allows inbound HTTP access from anywhere:</para>
       <mediaobject>
         <imageobject>
           <imagedata fileref="./images/http-access.png"/>
         </imageobject>
         <textobject>
           <phrase>httpaccess.png: allows inbound HTTP access from anywhere</phrase>
         </textobject>
       </mediaobject>
     </listitem>
     <listitem>
       <para>To add an egress rule, click the Egress Rules tab and fill out the following fields to
         specify what type of traffic is allowed to be sent out of VM instances in this security
         group. If no egress rules are specified, then all traffic will be allowed out. Once egress
         rules are specified, the following types of traffic are allowed out: traffic specified in
         egress rules; queries to DNS and DHCP servers; and responses to any traffic that has been
         allowed in through an ingress rule</para>
       <itemizedlist>
         <listitem>
           <para><emphasis role="bold">Add by CIDR/Account</emphasis>. Indicate whether the
             destination of the traffic will be defined by IP address (CIDR) or an existing security
             group in a &PRODUCT; account (Account). Choose Account if you want to allow outgoing
             traffic to all VMs in another security group.</para>
         </listitem>
         <listitem>
           <para><emphasis role="bold">Protocol</emphasis>. The networking protocol that VMs will use
             to send outgoing traffic. TCP and UDP are typically used for data exchange and end-user
             communications. ICMP is typically used to send error messages or network monitoring
             data.</para>
         </listitem>
         <listitem>
           <para><emphasis role="bold">Start Port, End Port</emphasis>. (TCP, UDP only) A range of
             listening ports that are the destination for the outgoing traffic. If you are opening a
             single port, use the same number in both fields.</para>
         </listitem>
         <listitem>
           <para><emphasis role="bold">ICMP Type, ICMP Code</emphasis>. (ICMP only) The type of
             message and error code that will be sent</para>
         </listitem>
         <listitem>
           <para><emphasis role="bold">CIDR</emphasis>. (Add by CIDR only) To send traffic only to IP
             addresses within a particular address block, enter a CIDR or a comma-separated list of
             CIDRs. The CIDR is the base IP address of the destination. For example, 192.168.0.0/22.
             To allow all CIDRs, set to 0.0.0.0/0.</para>
         </listitem>
         <listitem>
           <para><emphasis role="bold">Account, Security Group</emphasis>. (Add by Account only) To
             allow traffic to be sent to another security group, enter the &PRODUCT; account and name
             of a security group that has already been defined in that account. To allow traffic
             between VMs within the security group you are editing now, enter its name.</para>
         </listitem>
       </itemizedlist>
     </listitem>
     <listitem>
       <para>Click Add.</para>
     </listitem>
   </orderedlist>
 </section>
	<?xml version='1.0' encoding='utf-8' ?>
	<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
	<!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
	%BOOK_ENTITIES;
	]>
	<!-- Licensed to the Apache Software Foundation (ASF) under one
	or more contributor license agreements. See the NOTICE file
	distributed with this work for additional information
	regarding copyright ownership. The ASF licenses this file
	to you under the Apache License, Version 2.0 (the
	"License"); you may not use this file except in compliance
	with the License. You may obtain a copy of the License at
	http://www.apache.org/licenses/LICENSE-2.0
	Unless required by applicable law or agreed to in writing,
	software distributed under the License is distributed on an
	"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	KIND, either express or implied. See the License for the
	specific language governing permissions and limitations
	under the License.
	-->
	<section id="add-ingress-egress-rules">
	<title>Adding Ingress and Egress Rules to a Security Group</title>
	<orderedlist>
	<listitem>
	<para>Log in to the &PRODUCT; UI as an administrator or end user. </para>
	</listitem>
	<listitem>
	<para>In the left navigation, choose Network</para>
	</listitem>
	<listitem>
	<para>In Select view, choose Security Groups, then click the security group you want .</para>
	</listitem>
	<listitem>
	<para>To add an ingress rule, click the Ingress Rules tab and fill out the following fields to
	specify what network traffic is allowed into VM instances in this security group. If no
	ingress rules are specified, then no traffic will be allowed in, except for responses to any
	traffic that has been allowed out through an egress rule.</para>
	<itemizedlist>
	<listitem>
	<para><emphasis role="bold">Add by CIDR/Account</emphasis>. Indicate whether the source of
	the traffic will be defined by IP address (CIDR) or an existing security group in a
	&PRODUCT; account (Account). Choose Account if you want to allow incoming traffic from
	all VMs in another security group</para>
	</listitem>
	<listitem>
	<para><emphasis role="bold">Protocol</emphasis>. The networking protocol that sources will
	use to send traffic to the security group. TCP and UDP are typically used for data
	exchange and end-user communications. ICMP is typically used to send error messages or
	network monitoring data.</para>
	</listitem>
	<listitem>
	<para><emphasis role="bold">Start Port, End Port</emphasis>. (TCP, UDP only) A range of
	listening ports that are the destination for the incoming traffic. If you are opening a
	single port, use the same number in both fields.</para>
	</listitem>
	<listitem>
	<para><emphasis role="bold">ICMP Type, ICMP Code</emphasis>. (ICMP only) The type of
	message and error code that will be accepted.</para>
	</listitem>
	<listitem>
	<para><emphasis role="bold">CIDR</emphasis>. (Add by CIDR only) To accept only traffic
	from IP addresses within a particular address block, enter a CIDR or a comma-separated
	list of CIDRs. The CIDR is the base IP address of the incoming traffic. For example,
	192.168.0.0/22. To allow all CIDRs, set to 0.0.0.0/0.</para>
	</listitem>
	<listitem>
	<para><emphasis role="bold">Account, Security Group</emphasis>. (Add by Account only) To
	accept only traffic from another security group, enter the &PRODUCT; account and name of
	a security group that has already been defined in that account. To allow traffic between
	VMs within the security group you are editing now, enter the same name you used in step
	7.</para>
	</listitem>
	</itemizedlist>
	<para>The following example allows inbound HTTP access from anywhere:</para>
	<mediaobject>
	<imageobject>
	<imagedata fileref="./images/http-access.png"/>
	</imageobject>
	<textobject>
	<phrase>httpaccess.png: allows inbound HTTP access from anywhere</phrase>
	</textobject>
	</mediaobject>
	</listitem>
	<listitem>
	<para>To add an egress rule, click the Egress Rules tab and fill out the following fields to
	specify what type of traffic is allowed to be sent out of VM instances in this security
	group. If no egress rules are specified, then all traffic will be allowed out. Once egress
	rules are specified, the following types of traffic are allowed out: traffic specified in
	egress rules; queries to DNS and DHCP servers; and responses to any traffic that has been
	allowed in through an ingress rule</para>
	<itemizedlist>
	<listitem>
	<para><emphasis role="bold">Add by CIDR/Account</emphasis>. Indicate whether the
	destination of the traffic will be defined by IP address (CIDR) or an existing security
	group in a &PRODUCT; account (Account). Choose Account if you want to allow outgoing
	traffic to all VMs in another security group.</para>
	</listitem>
	<listitem>
	<para><emphasis role="bold">Protocol</emphasis>. The networking protocol that VMs will use
	to send outgoing traffic. TCP and UDP are typically used for data exchange and end-user
	communications. ICMP is typically used to send error messages or network monitoring
	data.</para>
	</listitem>
	<listitem>
	<para><emphasis role="bold">Start Port, End Port</emphasis>. (TCP, UDP only) A range of
	listening ports that are the destination for the outgoing traffic. If you are opening a
	single port, use the same number in both fields.</para>
	</listitem>
	<listitem>
	<para><emphasis role="bold">ICMP Type, ICMP Code</emphasis>. (ICMP only) The type of
	message and error code that will be sent</para>
	</listitem>
	<listitem>
	<para><emphasis role="bold">CIDR</emphasis>. (Add by CIDR only) To send traffic only to IP
	addresses within a particular address block, enter a CIDR or a comma-separated list of
	CIDRs. The CIDR is the base IP address of the destination. For example, 192.168.0.0/22.
	To allow all CIDRs, set to 0.0.0.0/0.</para>
	</listitem>
	<listitem>
	<para><emphasis role="bold">Account, Security Group</emphasis>. (Add by Account only) To
	allow traffic to be sent to another security group, enter the &PRODUCT; account and name
	of a security group that has already been defined in that account. To allow traffic
	between VMs within the security group you are editing now, enter its name.</para>
	</listitem>
	</itemizedlist>
	</listitem>
	<listitem>
	<para>Click Add.</para>
	</listitem>
	</orderedlist>
	</section>