This topic describes how to restrict the client IP addresses that can access shares.
NFS shares
You can configure the Read/write Clients and Read-only Clients parameters of an NFS share to restrict the client IP address that can access the share. For more information, see Configure a share.
SMB shares
You can configure the security group of Elastic Compute Service (ECS) instances to restrict the client IP address that can access an SMB share. A security group acts as a virtual firewall that controls inbound and outbound traffic for ECS instances. For more information, see Overview.
The port used to access an SMB share is automatically set to 445 by the gateway. The following table shows the default security group rule configured for this port. You can also add security group rules to allow or deny access from specific IP addresses or CIDR blocks.
Action | Protocol Type | Port Range | Authorization Object |
Allow | Custom UDP | 445 | 10.0.0.0/8 172.0.0.0/8 192.0.0.0/8 |
Procedure
Do not modify the default security group rule configured for port 445.
The security group rules configured for port 445 apply to all SMB shares under the gateway.
Go to the Security Groups page in the ECS console.
In the upper-left part of the page, select the resource group and region of the security group that you want to configure.
Enter the gateway ID in the search box to find the security group.
Click the ID of the security group. The Security Group Details page appears. On the Inbound tab, click Add Rule.
Add a custom security group rule. The following table provides an example on how to configure parameters in the rule.
Direction
Action
Priority
Protocol Type
Port Range
Authorization Object
Inbound
Deny
1
Custom TCP
Destination: 445/445
Source: 192.168.0.****
NoteTo deny access from specific IP addresses or CIDR blocks, set Action to Deny.
To allow access from specific IP addresses or CIDR blocks, set Action to Allow.
For more information about security group rules, see Security group rules.