Title here
Summary here
Network Security Groups
Security Groups act as a firewall to limit inbound and outbound traffic. Security Groups are sets of Rules that can be applied to a Virtual Network, or an individual NIC. Rules can be set for specific Protocols, Port Ranges, and Target Networks.
Security Group concepts
- You can set Security groups on a Virtual Network to provide ACLs to all VMs using the network
- Security Groups are additive. You can enable additional ports, protocols and destinations by adding extra Security groups to a VM or Virtual Network
- Every VM and Virtual Network starts with an implicity deny-all until a Security Group is added
- Every new Virtual Network is given the default Security Group of Allow-All, you must first remove this group to restrict access on the network
- Virtual Network Reservations can be used to create more-restrictive sets of IP addresses on a permissive Virtual Network
Each Rule is defined with the following attributes:
| Attribute | Type | Meaning | Values |
|---|---|---|---|
| PROTOCOL | Mandatory | IP Protocol of the rule | ALL, TCP, UDP, ICMP, IPSEC |
| IP | Optional | First IP of the range. Requires SIZE. | A valid IP |
| SIZE | Optional | Number of consecutive IPs in range. Requires IP. | An integer >= 1 |
| RANGE | Optional | Port Range to filter. Only applies to TCP and UDP. | multiple ports or port ranges are separated using a comma, a port range is specified using a colon. 22,53,80:90,110,1024:65535 |
| ICMP_TYPE | Optional | ICMP protocol type, comma separated. Blank for all. | 0,3,4,5,8,9,10,11,12,13,14,17,18 |
| NETWORK_ID | Optional | Network ID to which this Security Group will apply | A valid network ID |
Creating a Security Group
First, go to the Networks section then Security Groups and click the Create button.
After clicking create you must choose a name and optionally a description. Then you must enter at least one Rule, clicking Add to place the Rule in the Security Group and then click Finish.
Default Values
There is a special Security Group: default (ID 0). This security group allows all OUTBOUND traffic and all INBOUND traffic. Whenever a network is created, the default Security Group is added to the network.
This means you must edit every newly created network and remove the default Security Group from it. Otherwise, even if you add other Security Groups, the default one will allow all traffic and therefore override the rest of the Security Groups.
For Administrators
You may want to remove the rules included in the default security groups. This way users are forced to create security groups (otherwise they will not have connectivity to and from the VMs) which avoids some security problems.
Updating Security Groups
Security Groups can be updated to edit or add new rules. These changes are propagated to all VMs in the security group and it may take some time until the changes are applied to all VMs. The particular status of a VM can be checked in the security group properties, where outdated and up-to-date VMs are listed. If the update process needs to be reset, i.e. reapply the rules, you can use the vmsquared secgroup commit <security group ID> command.
As with most created objects in VM Squared, the Security Groups cannot be deleted while being used by another device, i.e. a Virtual Machine. First remove or replace the Security Group before issuing the delete command.
