NFS share
Use the Read/write Clients and Read-only Clients lists to control client access to an NFS share. If these lists are empty, any client on the network can mount the share. For configuration steps, see Share Settings.
SMB share
Use a security group to control client access to an SMB share. A security group acts as a virtual firewall that controls inbound and outbound traffic for an ECS instance.
The gateway automatically configures port 445 for SMB traffic. The default rule allows access from the following private CIDR blocks:
|
Action |
Protocol type |
Port range |
Authorization object |
|
Allow |
Custom TCP |
445 |
10.0.0.0/8 172.0.0.0/8 192.0.0.0/8 |
To restrict access from specific IP addresses or CIDR blocks, you can add a custom inbound rule to the security group. Lower priority values have higher precedence (1 is the highest). When multiple rules match an IP address, the rule with the highest priority is applied.
For more information about security groups, see Security group overview.
Add an inbound rule to restrict SMB access
-
Do not modify the default security group rule for the SMB (445) port.
-
The security group rules for the SMB (445) port apply to all SMB shares on the gateway.
-
Go to the Security Groups page on the ECS console.
-
In the upper-left corner of the page, select the resource group and region that contain your target resource.
-
In the search box, enter the gateway ID to find the corresponding security group.
The name of the security group starts with
sg-Cloud_Storage_Gateway_, and its type is basic security group. -
Click the security group ID to go to the Security Group Details page. On the .
-
Configure a custom security group rule. The following example denies access from
192.168.0.0/24:Direction
Action
Priority
Protocol type
Port range
Authorization object
Inbound
Deny
1
Custom TCP
445/445
192.168.0.0/24
Note-
To deny access from specific IP addresses or CIDR blocks, set Action to Deny.
-
To allow access from specific IP addresses or CIDR blocks, set Action to Allow.
For more information, see Security group rules.
-