Skip to main content

Security Groups πŸ”’

Security Groups are a key feature in KarenCloud Services, acting as a virtual firewall to control inbound and outbound network traffic for virtual machines. By configuring security group rules, you can precisely define the types of traffic to allow or deny, protecting your virtual machine resources from unauthorized access.

What are Security Groups? πŸ€”β€‹

A Security Group is a virtual firewall mechanism that manages network traffic associated with virtual machine instances. Each security group contains a set of rules that control traffic access based on protocol, direction, action, and other parameters.

Creating and Managing Security Groups πŸ› οΈβ€‹

In the KarenCloud Service platform, you can configure security groups using the following steps:

  1. Create a Security Group

    • Log in to the Karen control panel and navigate to the "Security Groups" module.
    • Click "Create Security Group," enter a name and description, then save.

  2. Add Rules

    • Select the target security group and click "Add Rule."
    • Configure the protocol, direction, action, and additional parameters for the specific protocol (see details below).

  3. Associate with Virtual Machines

    • When creating a virtual machine, select the desired security group.
    • For existing virtual machines, modify the associated security group through instance settings.

Security Group Rules Explained πŸ“œβ€‹

Each security group rule consists of the following main components:

  • Protocol: Specifies the protocol to which the rule applies. Supported options include:

    • TCP: Transmission Control Protocol
    • UDP: User Datagram Protocol
    • SCTP: Stream Control Transmission Protocol
    • IP: Internet Protocol (applies to all IP traffic, including TCP, UDP, ICMP, etc.)
    • All: All protocols

  • Direction: Specifies whether the rule applies to inbound traffic ("In") or outbound traffic ("Out").

  • Action: Defines how matching traffic is handled. Options include:

    • Accept: Allows the traffic to pass
    • Drop: Denies the traffic

Depending on the selected protocol, additional configuration may be required:

TCP, UDP, SCTP Protocols​

  • Source IP Address (Optional): For inbound rules, specify the allowed source IP address; for outbound rules, this is typically not set (applies to all IPs of the virtual machine).
  • Destination Port Range: Specify the allowed destination port range (start port and end port).

IP Protocol​

  • Source IP Address (Optional): For inbound rules, specify the allowed source IP address; for outbound rules, specify the virtual machine’s source IP address (typically not set).
  • Destination IP Address (Optional): For inbound rules, specify the virtual machine’s destination IP address (typically not set); for outbound rules, specify the allowed destination IP address.

All Protocols​

  • No additional configuration is required; the rule applies to traffic of all protocols.

Rule Evaluation Mechanism πŸ”β€‹

Security group rules are evaluated in the order they are defined, and the first matching rule determines the action (accept or deny) for the traffic. If no rule matches, the traffic is denied.

This allows you to create specific allow rules and add a final rule to deny all traffic, implementing a default-deny policy.

Configuration Examples πŸ“‹β€‹

Example 1: Allow SSH Access from a Specific IP​

  • Protocol: TCP
  • Direction: In
  • Action: Accept
  • Source IP Address: 203.0.113.0/24
  • Destination Port Range: 22 - 22

This rule allows IP addresses from the 203.0.113.0/24 subnet to access the virtual machine’s port 22 (SSH) via TCP.

Example 2: Allow Virtual Machine to Access External HTTPS Services​

  • Protocol: TCP
  • Direction: Out
  • Action: Accept
  • Destination Port Range: 443 - 443

This rule allows the virtual machine to access port 443 (HTTPS) on any external IP address via TCP.

Example 3: Deny All Outbound UDP Traffic​

  • Protocol: UDP
  • Direction: Out
  • Action: Drop

This rule denies all outbound UDP traffic from the virtual machine.

Example 4: Allow Ping from Any Address​

  • Protocol: IP
  • Direction: In
  • Action: Accept
  • Source IP Address: 0.0.0.0/0

This rule allows IP traffic (including ICMP, such as ping) from any IP address to access the virtual machine. Note: This allows all IP protocol traffic, not just ICMP.

Best Practices πŸ’‘β€‹

  • Principle of Least Privilege: Only open the protocols and ports required by your application to avoid overexposure.
  • Restrict Traffic Sources: For inbound rules, specify specific source IP ranges whenever possible instead of using 0.0.0.0/0.
  • Regular Audits: Periodically review and update security group rules, removing permissions that are no longer needed.
  • Layered Management: Create separate security groups for different applications or environments to simplify management and maintenance.

By properly configuring security groups, you can effectively protect your virtual machines from unauthorized access while ensuring necessary network connectivity.