You are browsing a read-only backup copy of Wikitech. The primary site can be found at wikitech.wikimedia.org

Help:Security groups: Difference between revisions

From Wikitech-static
Jump to navigation Jump to search
imported>UY Scuti
(→‎Create a new security group: update to reflect current interface in Horizon)
imported>Valerio Bozzolan
 
Line 18: Line 18:


# Log into [[Horizon]]
# Log into [[Horizon]]
# Select the project containing the instance from the dropdown.
# From the top-left dropdown, select the project containing the relevant instance
# Select 'Security Groups' under Network, under Project - you’ll see a list of available security groups.
# Under "Network", select "Security Groups" - you'll see a list of available security groups.
# Click on the "Create Security Group" button
# Click on the "Create Security Group" button
# Enter a new security group name, e.g., “web”.
# Enter a new security group name, e.g., “web”.
Line 35: Line 35:
# Select the Remote type, either a [http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing CIDR] or Security Group. If you wish to open to everywhere, use CIDR "0.0.0.0/0".
# Select the Remote type, either a [http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing CIDR] or Security Group. If you wish to open to everywhere, use CIDR "0.0.0.0/0".
# Click on the “Add” button.
# Click on the “Add” button.
== Assign a security group to an instance ==
As default a new security group is not assigned to any instance. Here how to do it:
# Visit "Compute" > "Instances"
# click on the "Actions ▼" dropdown (precisely on the "▼" symbol) and pick "Edit Security Groups"
# from the column "All Security Groups", click on "+" on the relevant security group
# save


== Examples ==
== Examples ==

Latest revision as of 11:13, 4 August 2022

Overview

A security group is a set of firewall rules that can be applied to Cloud VPS instances.

Each instance should belong to one or more security groups.

Default security group

Every instance should be a member of the default group. The default security group allows all incoming connections from all other instances in the same security group. This means that traffic within a project is not blocked.

If you plan to run other network services on your instances (e.g. it's an external web server, so HTTPS), you will need to create an additional custom security group and add it to your instance.

Create a new security group

You must be a Project admin in order to create, add or modify security groups.

  1. Log into Horizon
  2. From the top-left dropdown, select the project containing the relevant instance
  3. Under "Network", select "Security Groups" - you'll see a list of available security groups.
  4. Click on the "Create Security Group" button
  5. Enter a new security group name, e.g., “web”.
  6. Enter a description (optional, but possibly helpful, e.g., firewall rules for web access).
  7. Click on the “Create Security Group” button.

Add rules

Each security group consist of one or more rules.

You can define rules for TCP, UDP (and additionally with these two, a single port or a range of ports), and ICMP. The remote can be either another security group within the project or a CIDR.

  1. Once you’re on "Security Groups" page, click on the "Manage Rules" button next to the security group you want to modify.
  2. Select TCP, UDP, or ICMP.
  3. For TCP/UDP, enter a single Port or Port Range.
  4. Select the Remote type, either a CIDR or Security Group. If you wish to open to everywhere, use CIDR "0.0.0.0/0".
  5. Click on the “Add” button.

Assign a security group to an instance

As default a new security group is not assigned to any instance. Here how to do it:

  1. Visit "Compute" > "Instances"
  2. click on the "Actions ▼" dropdown (precisely on the "▼" symbol) and pick "Edit Security Groups"
  3. from the column "All Security Groups", click on "+" on the relevant security group
  4. save

Examples

Here's a simple security group that allows web access:

Begining of port range End of port range Protocol CIDR ranges Source group Explanation
80 80 tcp • 0.0.0.0/0 Open port 80 (http) to everyone
443 443 tcp • 0.0.0.0/0 Open port 443 (https) to everyone

Here's one that allows an instance to act as a sendmail server, but only for one other machine:

Begining of port range End of port range Protocol CIDR ranges Source group Explanation
25 25 tcp • 192.168.17.31 Open port 25 (smtp) to the lucky server at 192.168.17.31

Important: If you know what services you need access to but don't know what ports to open, there's a comprehensive list of standard ports here. You can also use 'lsof -p <PID> | grep LISTEN' as root to find ports in use by a specific process.

Communication and support

Support and administration of the WMCS resources is provided by the Wikimedia Foundation Cloud Services team and Wikimedia movement volunteers. Please reach out with questions and join the conversation:

Discuss and receive general support
Receive mail announcements about critical changes
Subscribe to the cloud-announce@ mailing list (all messages are also mirrored to the cloud@ list)
Track work tasks and report bugs
Use the Phabricator workboard #Cloud-Services for bug reports and feature requests about the Cloud VPS infrastructure itself
Learn about major near-term plans
Read the News wiki page
Read news and stories about Wikimedia Cloud Services
Read the Cloud Services Blog (for the broader Wikimedia movement, see the Wikimedia Technical Blog)