Elastic Desktop Service (EDS) Enterprise provides public bandwidth for user network access and uses security measures to protect cloud computers from external and internal threats. To help you manage network behavior, EDS Enterprise provides security group and domain name control policies to control user network access.
01 Network access
1.1 Security group policies
Elastic Desktop Service (EDS) Enterprise provides administrators with security group control policies to manage network access permissions for cloud computers within their organization. A security group control policy consists of a set of security group rules. Similar to Elastic Compute Service security group rules, you can set the rule direction (inbound or outbound), action (Allow or Deny), priority, protocol type, port range, authorization object (an IP address or CIDR block), and description. By combining rules with different scopes and priorities, administrators can implement a whitelist approach, allowing access only from specified sources.
You can add inbound or outbound security group control rules to further control the traffic of your cloud computers. The following are example configurations for security group control rules:
Scenario 1
By default, all outbound access from a cloud computer is allowed. You can add the following outbound rules to allow access only to specific IP addresses:
Rule 1: Deny all outbound access. Example:
Direction
Policy
Priority
Protocol type
Port range
Authorization object
Outbound
Deny
2
All
-1/-1
0.0.0.0/0
Rule 2: Allow access to a specific IP address. The priority of this rule must be higher than that of Rule 1. Example:
Direction
Policy
Priority
Protocol type
Port range
Authorization object
Outbound
Allow
1
Select the applicable protocol type.
Set an appropriate port range.
The IP address to allow access to, for example: 192.168.1.1/32.
Scenario 2
In a VPC environment, you can add an inbound rule to allow access from a specific IP address to the cloud computer. Example:
Direction | Policy | Priority | Protocol type | Port range | Authorization object |
Inbound | Allow | 1 | Select the applicable protocol type. | Set an appropriate port range. | The IP address to allow access from, for example: 192.168.1.1/32. |
Scenario 3
Assume Cloud Computer A is associated with Policy A, and Cloud Computer B is associated with Policy B. In a VPC environment, Cloud Computer A and Cloud Computer B cannot communicate with each other because all inbound access is denied by default. You can add the following inbound rules to Policy A and Policy B to enable network communication between them:
In Policy A, add an inbound rule to allow access from Cloud Computer B. Example:
Direction
Policy
Priority
Protocol type
Port range
Authorization object
Inbound
Allow
1
Select the applicable protocol type.
Set an appropriate port range.
IP address of Cloud Computer B.
In Policy B, add an inbound rule to allow access from Cloud Computer A. Example:
Direction
Policy
Priority
Protocol type
Port range
Authorization object
Inbound
Allow
1
Select the applicable protocol type.
Set an appropriate port range.
IP address of Cloud Computer A.
|
1.2 Domain name control
Elastic Desktop Service (EDS) Enterprise provides domain name control policies that allow administrators to manage network access for cloud computers at the domain name level. Unlike security group control policies, domain name control uses DNS rules to manage access by domain name. For each rule, you configure the domain name and an action (Allow or Deny). This feature also supports wildcards (*), which significantly simplifies the process of managing access to specific websites and services.
For example, to implement fine-grained access control for the domains listed in the following table, you can configure the DNS rules as shown.
Domain | Example | Access policy | Description |
Second-level domain |
| Allow | When the cloud computer accesses |
Third-level domain |
| Deny | When the cloud computer accesses |
| Allow | When the cloud computer accesses | |
Fourth-level domain |
| Deny | When the cloud computer accesses |
| Allow | When the cloud computer accesses | |
| Allow |
|
02 Network boundaries
2.1 Office network intercommunication
Cloud computers run in a security group that is automatically created with the office network (formerly workspace). They do not have public-facing IP addresses or open ports. The security group blocks all external traffic except for ASP protocol connections from the streaming gateway. This design ensures that external network attacks cannot reach the cloud computers. This fundamental security mechanism of Elastic Desktop Service (EDS) Enterprise cannot be modified.
By default, the security group also prevents communication between cloud computers. This prevents a malicious user from attacking other cloud computers and stops a compromised cloud computer from infecting others on the internal network. Administrators can enable network access between cloud computers within their office network based on business needs. If you enable this access, you can use additional network control policies to mitigate the associated security risks.
|