Security groups

From Luna Node
Revision as of 22:57, 5 January 2016 by Favyen Bastani (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Security groups allow you to control network access to your virtual machines on a group-level. Each security group has an associated set of rules defining what kind of traffic is permitted to enter or exit the virtual machines in the group. Each rule specifies a traffic direction (incoming/outgoing), protocol (e.g. TCP), and remote source/destination (this can be either a network prefix like 123.123.0.0/16, or another security group); for TCP/UDP protocols, a port range also needs to be configured.

Getting started

Head to the Security Groups page to manage your security group. Once you create a security group with a given name, the security group will appear in the table and automatically be initialized with default rules that allow any outgoing traffic from the VM. You can then add additional rules, or remove the default rules if desired. Note that by default, no incoming traffic is permitted.

Once you have set up your security group(s), you can go to a VM details page or the Create VM page to either modify the security groups of an existing VM, or create a new VM in some subset of security groups. By default, each VM is assigned to a default security group that allows all incoming/outgoing traffic; you can select your own security group instead of the default group to add your restrictions.

Note that if you select multiple security groups for your VM, traffic permitted by rules in any of the security groups will be allowed.

Use cases

Here are some example use cases for security groups.

  • Private backend VM: suppose you have a backend server (for example, running a database service) and a cluster of front-end machines. You can put all of your VMs in one security group that only allows incoming traffic from that group, and also put your front-end machines in the default security group so that any traffic is accepted. This way, you don't need to worry about modifying iptables rules within your container each time you boot a new VM. (Note: you may also want to disassociate the external floating IP on the private VM; also consider virtual networks for more fine tuned control.)
  • Additional firewall: you may want to restrict connections to only a specific set of ports on your VM. Security groups can be used as a firewall on top of whatever you set within your container. Also, when managing a large number of machines, you can simply edit the security group instead of the rules on each machine.