Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
You can view the list of rules associated with an NSG.
To view the list, follow these steps:
1. Log in to the DCD with your username and password.
2. Go to Menu > Network > Network Security Groups.
3. Select a data center from the drop-down list to view the NSGs associated with it.
4. Select an NSG from the list by either selecting the NAME of the respective security group or clicking View & Edit.
Result: A list of rules defined for the selected security group is displayed. You can do the following:
copy UUID of the respective rule
Contract administrators and owner can create and manage NSGs within a data center. Normal contract sub-users need appropriate privileges to use and modify NSGs, without which they have read-only access and cannot provision changes. You can grant appropriate NSG privileges to contract sub-users via the User Manager.
If you turn off the privilege, your contract sub-users can manage the defined NSGs, provided they can access the respective data center.
To allow users to create NSGs, follow these steps:
1. Log in to the DCD with your username and password.
2. Go to Menu > Management > Users & Groups under Users.
3. Select Groups tab in the User Manager window.
4. Select the appropriate group to assign relevant privileges.
5. In the Privileges tab, select the Create Network Security Groups checkbox to allow the group members to create and use it.
Note: You can remove the privileges from the group by clearing the Create Network Security Groups checkbox.
Result: The group and its users are granted appropriate privileges.
To comply with security requirements, you can use pre-defined templates that cover common security scenarios or customize the firewall rules for your Network Security Groups (NSGs).
With customized firewall rules, you can define specific rules to address known security threats and vulnerabilities to support complex network architectures and applications, thus offering additional flexibility and control.
Template-based rules are pre-defined rules for you to apply to your NSGs. It is also possible to clone rules from an NSG in another data center.
For consistent security configurations across environments, whether within the same data center or replicated across different ones, you can clone existing security rules to ensure that identical security policies apply to multiple resources. It facilitates easier management and compliance across your cloud infrastructure and significantly reduces the time needed to set up security configurations.
To define rules, follow these steps:
1. Log in to the DCD with your username and password.
2. Go to Menu > Network > Network Security Groups.
3. Select a data center from the drop-down list.
4. Select an NSG to associate rules with it:
select the NAME of the respective NSG.
select View & Edit.
You can create customized firewall rules to secure your network from external threats and vulnerabilities.
1. Select Create Firewall Rule and enter the following details:
Name: A name for your firewall rule.
Protocol: Select a protocol from the drop-down list: UDP, TCP, ICMP, ICMPv6, GRE, VRRP, ESP, AH, and ANY.
Type: Select INGRESS or EGRESS to specify the direction of traffic flow that the rule applies to.
INGRESS: Select Ingress to control traffic that originates from outside the network and is destined for a resource within the network.
EGRESS: Select Egress to control traffic that originates from within the network and is destined for a resource outside the network.
IP Version: Select an appropriate version from the drop-down list: Auto, IPv4, and IPv6. Selecting Auto sets the type to IPv4 or IPv6 address based on your specific IP address.
Source MAC: Enter the Media Access Control (MAC) address of the source device that sends traffic to the network. You can specify a specific MAC address or use wildcards to match a range of MAC addresses. Examples: 00:11:22:33:44:55 (specific MAC address) or 00:*:*:*:*:* (wildcard to match any MAC address starting with 00).
Source IP: Enter the IP address of the source device from which the traffic originates. This field supports both IPv4 and IPv6 addresses.
Target IP: Enter the IP address of the target device that receives traffic from the network. This field supports both IPv4 and IPv6 addresses.
Port Range Start: Enter the starting port number of a range of ports that are affected by the NSG rule. The port range is inclusive, meaning that the starting port number is included in the range.
Port Range End: Enter the ending port number of a range of ports that are affected by the NSG rule. The value must be must be greater than or equal to the Port Range Start field.
ICMP Type: Enter the specific category of the ICMP message. Each ICMP Type corresponds to a particular function or indication of a network condition. This option is available for ICMP and ICMPv6 protocols only.
ICMP Code: Enter the ICMP code for the given ICMP Type. For example, for Type 3, which indicates a destination unreachable error, one common code is Code 0: Network Unreachable. This option is available for ICMP and ICMPv6 protocols only.
2. Select Create to confirm.
Result: The firewall rule is created and set to an Available state.
1. Select Rule from template to select a pre-defined template from the list:
Generic Webserver: The template contains customized rules to allow access to hosting web applications and maintain restricted outgoing traffic. It contains pre-defined:
Inbound rules that permit HTTP (Port 80) and HTTPS (Port 443) traffic from all sources.
Outbound rules that permit outbound traffic to ensure that the server can communicate with other services, such as databases and external APIs.
Mailserver: The template contains rules for secure email communication. It contains pre-defined:
Inbound rules that allow SMTP (Port 25), IMAP (Port 143), and POP3 (Port 110) traffic for incoming email services.
Outbound rules that allow required outbound protocols for sending emails and communicating with external mail servers.
Remote Access Linux: The template contains rules for remotely accessing Linux-based systems. It contains pre-defined:
Inbound rules that allow SSH (Port 22) traffic from trusted sources to facilitate secure remote access.
Outbound rules that allow necessary outbound communication for updates, package management, and other required services.
Remote Access Windows: The template contains rules for remotely accessing Windows-based systems. It contains pre-defined:
Inbound rules that allow RDP (Port 3389) traffic from specified IP addresses to secure remote desktop access to Windows servers.
Outbound rules that allow outbound connections to facilitate system updates and application communications.
2. Select Create in the Create firewall rules from template window to confirm creation.
Result: The template rule is created and set to an Available state.
Info: Cloning option is available only via the DCD.
1. Select Clone rules.
2. Select the following in the Clone firewall rules window:
Filter by datacenter: Select a data center from the drop-down list. All firewall rules defined for the NSGs associated with the respective data center are listed.
Filter by security group (optional): Select a specific network security group from the drop-down list to clone rules only from the specified NSG.
You can also use the Search option to look for a specific rule. To filter your options further, you can choose the data center, security group and a keyword to search for the matching rule.
3. The following details are displayed:
Name: Displays the name of the rule.
IPV: Displays the version of the IP address, either IPv4 or IPv6.
Type: Displays INGRESS or EGRESS based on the traffic flow direction.
Protocol: Displays the protocol selected during the rule definition.
Source MAC: Displays the source MAC address specified during the rule definition.
Source IP: Displays the source IP address specified during the rule definition.
Target IP: Displays the target IP address specified during the rule definition.
Port Range Start: Displays the starting port number of a range of ports that are affected by the NSG rule.
Port Range End: Displays the ending port number of a range of ports that are affected by the NSG rule.
ICMP Type: Displays the specific category of the ICMP message. Each ICMP Type corresponds to a particular function or indication of a network condition. This is displayed for ICMP and ICMPv6 protocols.
ICMP Code: Displays granularity regarding the status or error involved.
4. Select the appropriate checkboxes to clone the selected rules.
5. Select Clone rule(s).
Result: The selected rule(s) are cloned to the chosen NSG.
Info: After creation, you can modify the existing rule by selecting its NAME or clicking View & Edit. Remember that you can edit all field values except the Protocol and Type.
It's a good practice to regularly review your NSG rules and modify the existing rules to reflect changes in security protocols or policies or define new rules to address emerging security threats or changing business requirements.
To define rules, follow these steps:
1. Log in to the DCD with your username and password.
2. Go to Menu > Network > Network Security Groups.
3. Select a data center from the drop-down list.
4. Select an NSG in one of the following ways to modify it:
select the NAME of the respective NSG.
select View & Edit.
5. In the View & Edit Group window, select the rule in one of the following ways to modify it:
select the NAME of the respective rule.
select View & Edit.
6. Update the necessary details. You can only edit those values that are enabled for modification.
7. Select Edit.
Result: The selected rule is updated.
Configuring Network Security Groups (NSGs) in your Virtual Data Center (VDC) empowers you to effectively manage and filter the network traffic penetrating towards or exiting the VDC, all tailored to your specific security rules and requirements.
NSGs provide a level of granular customization that guarantees a secure environment while allowing the necessary connectivity. They protect your virtual networks from unauthorized access, malicious activity, and other security threats.
To create an NSG, follow these steps:
2. Select one of these:
You can delete the rules associated with an NSG. For example, you can delete rules defined for decommissioned resources or during security protocol updates. Understanding the implications of deleting rules to prevent unintended disruptions or vulnerabilities is mandatory.
To delete a rule, follow these steps:
2. Go to Menu > Network > Network Security Groups.
3. Select the NAME of the respective security group or click View & Edit.
4. Select the checkbox(es) in the View & Edit Group window and select:
Delete to delete a rule.
Delete Rules to delete a single or multiple rules at once.
5. Select Delete in the Delete firewall rule(s) pop-window to confirm deletion.
Result: The selected rules are queued for deletion and eventually deleted.
After creating an NSG, you can manage it via the Update Security Group window.
To update the details, follow these steps:
2. Go to Menu > Network > Network Security Groups.
3. Select the required security group in the Network Security Groups window. You can either select the NAME of the respective security group or select View & Edit for the respective security group:
4. Select Edit group in the Security group details section of the View & Edit Group window.
5. Modify the group's Name or Description.
6. Select Edit.
Result: The selected NSG is updated.
To view the list of NSGs that are associated with a data center, follow these steps:
2. Go to Menu > Network > Network Security Groups.
3. Select a data center from the Showing results for datacenter: drop-down list to view the NSGs associated with it.
Result: A list of security groups is displayed. The table also displays the network security group's name, state, the number of servers or NICs attached to it, the total number of rules defined for the respective NSG, and whether it is a default group. You can select a specific data center to view all its associated NSGs, copy the respective NSG's UUID, attach an NSG to a server or an NIC, set the group as a default group, create new custom groups, or delete existing security groups.
With NSGs, administrators can control and filter incoming and outgoing traffic to Virtual resources. When you attach NSGs to servers or NICs, you can enforce granular security policies by restricting access to specific servers or NICs to secure your network from malicious activity, unauthorized access, and security threats.
Reviewing your configuration is vital to ensure it meets changing security requirements.
Prerequisite: Ensure that the NSGs are configured with appropriate firewall or template rules.
To attach an NSG to a server or NIC, follow these steps:
2. Go to Menu > Network > Network Security Groups.
3. Select the checkbox(es) to associate the chosen NSG(s) with a server or an NIC.
4. Select Attach NSG to.
5. Select one of the following in the Attach Network Security Groups pop-up window:
Select the target VM or NIC:
Server: Select a server from the drop-down list. The list contains the servers that you have configured in the respective data center. Upon selection, the chosen NSG(s) are automatically configured for all the NICs associated with the corresponding server.
NIC: Select an NIC from the drop-down list. The list contains the NICs that are associated with the respective data center. The selected NSG(s) are associated with the selected NIC upon selection. It is beneficial for granular control, where you can apply NSGs to individual VMs or NICs requiring unique security configurations.
What action should be taken with the selected Network Security Groups?
Add selected security groups without affecting any existing ones: Select the option to add the selected NSGs without affecting the existing NSGs.
Replace any existing security groups with the selected ones: Select the option to replace the existing NSGs with the selected NSGs. All the rules of the chosen server or the NIC will be overriden with the rules of the new NSGs.
Result: The selected security group(s) is associated with the selected server or the NIC.
Default NSGs provide a standardized set of security rules and automatically add every newly provisioned VMs as a member, making it easier to maintain and scale your network security as your organization grows. It also reduces administrative overhead by eliminating the need to configure and update security rules manually.
Prerequisites:
Ensure that you have appropriate permissions to create NSGs. Only contract administrators, owners, and users with permissions to the corresponding VDC can create and manage NSGs.
Note:
Only one security group can be a default group at a time.
To convert a custom NSG to a default NSG, follow these steps:
2. Go to Menu > Network > Network Security Groups.
3. Select a data center from the drop-down list.
4. Select an NSG and click Set as default in the Network Security Groups window to convert the respective custom group to default.
Alternatively, on the Network Security Groups window, you can select the NAME of the respective security group or select View & Edit for the respective security group:
Next, select Set as default in the Security Group Details window.
5. Select Confirm in the pop-up window.
Result: The selected NSG is converted to the default group.
1. Select Remove default status in the View & Edit Group window to remove the default status.
2. Select Confirm to confirm the status change.
NSGs are of two types: Default and Custom. You can choose between a Default or a Custom NSG and customize them according to your needs. For more information, see .
Prerequisites: Ensure that you have appropriate permissions to the data centers and to create NSGs. For more information, see .
1. Log in to the with your username and password.
1. and choose whether to select the Create default network security group checkbox based on your preference:
2. Select the Create default network security group checkbox.
Result: The default group is created with four default rules. For more information, see . All servers and NICs associated with the respective data center inherit default rules. If you add new VMs to the data center, all of its NICs inherit the rules from the default NSG.
1. Go to Menu > Network > Network Security Groups.
2. Select Create security group in the Network Security Groups window.
3. Enter the following details:
Datacenter: Select a data center from the drop-down list for which you want to configure a security group.
Name: Enter a name for your security group.
Description: Enter additional information about the security group.
4. Click Create to save the details.
Result: The desired NSG is created and set to an Available state.
1. Log in to the with your username and password.
1. Log in to with your username and password.
Additionally, can select Set as default to set it as the default group or select Delete to delete the group. For more information about creating or modifying associated rules, see and , respectively.
1. Log in to the with your username and password.
1. Log in to the with your username and password.
A default security group is created with the four default rules. However, the rules are not created when you convert an existing custom NSG to a default NSG. For more information, see .
1. Log in to the with your username and password.
3. Optionally, you can add custom rules to the default group or create new custom groups for customized rules. For more information, see . Remember to , whichever is applicable.
You can delete an NSG if it is no longer needed to avoid potential security risks. Outdated NSGs allow unauthorized access to resources, resulting in security vulnerabilities. Deleting an NSG also deletes the rules associated with the respective NSG.
To delete an NSG, follow these steps:
1. Log in to the DCD with your username and password.
2. Go to Menu > Network > Network Security Groups.
3. Select Delete to delete the respective security group.
Alternatively, you can also select the NAME of the respective security group and select Delete in the View & Edit Group window.
4. Select Delete to confirm deletion in the Delete security group pop-up window.
Result: The selected security group and its associated rules are queued for deletion and eventually deleted.
You can configure Network Security Groups (NSGs) via the DCD and associate it with Network Interface Cards (NICs) or Virtual Machine (VM) resources.
Prerequisites: Contract administrators and owners can create, access, manage, and use NSGs without additional permissions. For more information, see Set User Privileges for Network Security Groups.
Set User Privileges for Network Security Groups
Learn how to set User privileges for security groups.
Create Default or Custom Network Security Groups
Learn how to create a Default or Custom NSG.
Create Rules
Learn how to define rules.
View Rules
Learn how to view rules associated with an NSG.
Modify Rules
Learn how to modify associated rules.
Delete Rules
Learn how to delete associated rules.
Convert Custom Network Security Group to Default
Learn how to convert a Custom NSG to a Default NSG and vice versa.
Attach a Server or NIC to a NSG
Learn how to attach a NSG to a server or an NIC.
View Network Security Groups
Retrieve a list of all the NSGs.
Update Network Security Groups
Learn how to update an NSG.
Delete Network Security Groups
Learn how to delete your NSGs.
