This topic describes how to use prefix lists to simplify management of security group rules.
Background information
A prefix list is a set of one or more network prefixes (CIDR blocks). You can reference prefix lists to configure security group rules. When entries in a prefix list are modified, all security group rules that reference this prefix list are also updated. You can put frequently-used IP addresses in a prefix list and reference the prefix list in security group rules instead of referencing the IP addresses individually. This way, you can consolidate security group rules that share the same attributes except for the authorization object into a single rule that uses a prefix list as the authorization object, and reduce the burdens of managing security group rules. For more information about prefix lists, see Overview.
Use scenarios
Assume that you have planned multiple security domains for your resources in the cloud to ensure resource security. Each security domain corresponds to a security group. A public resource such as an office network off the cloud requires access to your resources in multiple security domains. This public resource has multiple variable CIDR blocks.
If you do not use the prefix list feature, you must configure multiple rules that reference the CIDR blocks of the public resource as authorization objects in multiple security groups to allow access from the public resource. The configured security group rules must share the same attributes except for the authorization object. If the CIDR blocks of the public resource change, you must modify the corresponding rules of security groups in multiple security domains. The greater the number of security groups and CIDR blocks, the more difficult to manage the security group rules.
If you use the prefix list feature, you can create a prefix list from the CIDR blocks of the public resource and configure a rule that references the prefix list as the authorization object in multiple security groups to allow access from the public resource. If the CIDR blocks of the public resource change, you need only to modify the corresponding entries in the prefix list, and the associated security group rules are also updated. This eliminates the need to modify the security group rules one by one and simplifies management of security group rules.
If you have resources in multiple Alibaba Cloud regions, you can use the clone feature to clone prefix lists across regions.
Procedure
More use scenarios
Scenario | Security group rule that references an individual IP address | Security group rule that references a prefix list |
---|---|---|
Deny access from five IP addresses | If you remove five allow rules that reference five IP addresses one by one from each of the 50 security groups, 250 remove operations are required. Event if you batch remove the five allow rules from each security group, 50 remove operations are still required. | If you remove five entries that contain five IP addresses one by one from the prefix list, five remove operations are required. If you batch remove the five entries from the prefix list, only a single remove operation is required. |
Modify rules or entries to allow access from five IP addresses | If you modify five rules in each of the 50 security groups to allow access from five IP addresses, 250 modify operations are required. | If you modify five entries to include five IP addresses in the prefix list, five modify operations are required. |
Add rules or entries to allow access from five IP addresses | If you add five rules in each of the 50 security groups to allow access from five IP addresses. In this case, 250 add operations are required. Event if you add a single rule that references five IP addresses to each security group, and 50 add operations are still required. | If you add five entries that include five IP addresses to the prefix list, five add operations are required. If you add a single entry that includes the five IP addresses to the prefix list, only a single add operation is required. |
Modify rules or entries to allow access from five IP addresses, and add rules or entries to access from another five IP addresses | If you modify five rules in each of the 50 security groups to allow access from five IP addresses and then add five rules to each security group to allow access from another five IP addresses, a total of 500 operations are required. Even if you modify five rules that reference five IP addresses and add a single rule that references another five IP addresses in each security group, a total of 300 operations are still required. | If you modify five entries to include five IP addresses and add five entries to include the other five IP addresses in the prefix list, a total of 10 operations are required. If you modify five entries and add a single entry that includes another five IP addresses in the prefix list, a total of six operations are required. |