Security groups
Security Groups act as a firewall to limit inbound and outbound traffic. Rules can be set for specific Protocols, Port Ranges, and for Target Network.
Each Rule is defined with the following attributes:
| Attribute | Type | Meaning | Values |
|---|---|---|---|
| PROTOCOL | Mandatory | Defines the protocol of the rule | ALL, TCP, UDP, ICMP, IPSEC |
| IP | Optional | If the rule only applies to a specific net. This is the first IP of the consecutive set of IPs. Must be used with SIZE. |
A valid IP |
| SIZE | Optional | If the rule only applies to a net. The number of total consecutive IPs of the network. Use always with IP. | An integer >= 1 |
| RANGE | Optional | A Port Range to filter specific ports. Only works with TCP and UDP. |
(iptables syntax) multiple ports or port ranges are separated using a comma, and a port range is specified using a colon. Example: 22,53,80:90,110,1024:65535 |
| ICMP_TYPE | Optional | Specific ICMP type of the rule. If a type has multiple codes, it includes all the codes within. This can only be used with ICMP. If omitted, the rule will affect the whole ICMP protocol. | 0,3,4,5,8,9,10,11,12,13,14,17,18 |
| NETWORK_ID | Optional | Specify a network ID to which this Security Group will apply | A valid network ID |
There is a special Security Group: default (ID 0). This security group allows all OUTBOUND traffic and all INBOUND traffic. Whenever a network is created, the default Security Group is added to the network.
This means you must edit every newly created network and remove the default Security Group from it. Otherwise even if you add other Security Groups, the default one will allow all traffic and therefore override the rest of the Security Groups.
For administrators
You may want to remove the rules included in the default security groups. This way users are forced to create security groups (otherwise they will not have connectivity to and from the VMs) which avoid some security problems.
Security Groups can be updated to edit or add new rules. These changes are propagated to all VMs in the security group, so it may take some time till the changes are applied. The particular status of a VM can be checked in the security group properties, where outdated and up-to-date VMs are listed. If the update process needs to be reset, i.e. reapply the rules, you can use the hypercloud secgroup commit <security group ID> command.
Note
As with most created objects in HyperCloud, the Security Groups cannot be deleted while being used by another device, i.e. a Virtual Machine. It will need to be removed or replaced on the device before issuing the delete command.
