Configure security group rules
Cloud-native API Gateway and your backend services may reside in different security groups. Add security group rules to grant the gateway access to your backend services.
Background
A security group is a virtual firewall that controls inbound and outbound traffic for ECS instances and ENIs through stateful packet inspection and filtering. Configure security group rules to isolate security domains in the cloud. Security group overview.
When you create a Cloud-native API Gateway instance, you select a VPC and a security group type. Select the same type as your backend service. The gateway creates a managed security group for its instance nodes. Because the gateway and backend service nodes are in different security groups, you must add a rule to the backend service's security group to allow gateway access on the required port ranges.
The figure shows how Cloud-native API Gateway uses security groups to control network access and route traffic:
-
A client sends a request through Cloud-native API Gateway to the internal network.
-
The gateway routes traffic to
service-sg1andservice-sg2based on routing rules. -
The pod in
service-sg1handles requests on port 8080. -
The ECS instance in
service-sg2handles requests on ports 80 through 9000.
Step 1: Find the security group
Backend services for Cloud-native API Gateway are typically deployed in Container Service for Kubernetes (ACK) or on ECS instances. Find the security group ID of your backend service.
Container Service (ACK)
Log on to the ACK console. In the left navigation pane, click Clusters.
On the Clusters page, click the name of your cluster. In the left navigation pane, click .
-
On the Node Pools page, click the target node, and then click the Basic Information tab to find the security group ID.
ECS instance
Log in to the ECS console.
In the left-side navigation pane, choose .
-
On the Instances page, click the target ECS instance, and then click the Security Groups tab to find the security group ID.
Step 2: Add a security group rule
Log on to the API Gateway console.
In the left-side navigation pane, click . In the top navigation bar, select a region.
On the Instance page, click the target instance ID.
-
In the left-side navigation pane, click Overview, and then click the Security Group Authorizations tab.
-
Click Add Security Group Rule. In the Security Group ID text box, paste the security group ID from Step 1, and then select the security group.
-
Enter the Port Range for the security group authorization: Start port/End port.
You can enter multiple port ranges. Press Enter after each range.
-
Click Save.
-
Cloud-native API Gateway creates the corresponding rule.
-
The rule also appears in the target node's security group.
-
Delete a security group rule
Log on to the API Gateway console.
In the left-side navigation pane, click . In the top navigation bar, select a region.
On the Instance page, click the target instance ID.
-
Click the Security Group Authorizations tab. Find the rule that you want to delete, click Delete in the Actions column, and then click OK.
By default, only the gateway's security group rule is deleted. To also remove the inbound rule from the target node's security group, select The preceding inbound rules in the security group are also deleted.
FAQ
Service inaccessible after adding a rule
Check the following:
-
Check if you added the rule to the correct security group.
For example, the service runs on Node A, but the rule was added to Node B's security group.
-
Check if the target node belongs to multiple security groups.
If so, add the authorization rule to each security group.
Previously accessible service now fails
Check the following:
-
Verify that your service is running correctly.
Run
curlfrom another node in the same security group to verify connectivity. -
Check if the port exposed by your service has changed.
For example, if the service moved from port 8080 to 8081 but the rule only covers 8080, access fails. To avoid this, use a wider port range such as 1-65535.