A security group is a set of rules that can be used to protect cloud computers. WUYING Workspace allows you to configure a security group to control the inbound access to and the outbound access from cloud computers. You can add security group rules to control cloud computer access.
Description
By default, cloud computers allow all outbound access requests. For inbound access requests, the following rules apply:
If cloud computers are connected over the Internet, the cloud computers deny all inbound access requests, even if you set Authorization Policy to Allow for inbound access requests in a rule.
If cloud computers are connected over enterprise private networks, the cloud computers default to block all inbound access requests. However, you can set Authorization Policy to Allow for inbound requests in a rule. If inbound access requests meet the rule, the system allows the inbound requests.
A security group rule contains attributes such as rule direction, priority, CIDR block, protocol type, port range, and authorization policy. Before an end user connects to a cloud computer, the system matches access requests based on the security group rules in the policy that is associated with the cloud computer to determine whether to allow the access requests. Access requests are allowed or denied based on the matched security group rules:
If access requests match a security group rule whose Authorization Policy is set to Allow, the access requests are allowed.
If access requests match a security group rule whose Authorization Policy is set to Deny, the access requests are blocked and data packets are dropped.
You can add security group rules to limit the inbound and outbound traffic of the cloud computer. The following examples describe the common configurations of security group rules:
Example 1: Allow the cloud computer to access only a specific CIDR block.
By default, cloud computers allow all outbound access requests. You can add the following outbound rules to allow the cloud computer to access only a specific CIDR block:
Rule 1: Deny all outbound access requests. The following table provides a sample configuration.
Direction
Priority
CIDR block
Protocol type
Port range
Authorization policy
Outbound
2
0.0.0.0/0
All
-1/-1
Deny
Rule 2: Allow outbound access to a specific CIDR block. The priority of Rule 2 must be higher than the priority of Rule 1. The following table provides a sample configuration.
Direction
Priority
CIDR block
Protocol type
Port range
Authorization policy
Outbound
1
The CIDR block that can be accessed. Example: 192.168.1.1/32.
Select a protocol type.
Specify a port range.
Allow
Example 2: Allow access from a specific CIDR block to the cloud computer that is connected over an enterprise private network.
If the cloud computer is connected over an enterprise private network, you can add an inbound rule that allows access from a specific CIDR block. The following table provides a sample configuration.
Direction
Priority
CIDR block
Protocol type
Port range
Authorization policy
Inbound
1
The CIDR block from which the cloud computer can be accessed. Example: 192.168.1.1/32.
Select a protocol type.
Specify a port range.
Allow
Example 3: Enable network connectivity between cloud computers that are associated with different policies if the cloud computers are connected over an enterprise private network.
For example, Cloud Computer A is associated with Policy A, and Cloud Computer B is associated with Policy B. By default, cloud computers deny all inbound access requests. Therefore, Cloud Computer A and Cloud Computer B cannot access each other. You can add the following inbound rule to Policy A and Policy B to enable network connectivity between the two cloud computers:
Add an inbound rule to Policy A to allow access from Cloud Computer B. The following table provides a sample configuration.
Direction
Priority
CIDR block
Protocol type
Port range
Authorization policy
Inbound
1
The IP address of Cloud Computer B.
Select a protocol type.
Specify a port range.
Allow
Add an inbound rule to Policy B to allow access from Cloud Computer A. The following table provides a sample configuration.
Direction
Priority
CIDR block
Protocol type
Port range
Authorization policy
Inbound
1
The IP address of Cloud Computer A.
Select a protocol type.
Specify a port range.
Allow
Limits
If you add an outbound security group rule to your policy and your office network is upgraded from a directory of an earlier version, you must adjust the priority of the default rule. To add a security group rule, perform the following procedure:
Procedure
When you create a policy, you can add inbound or outbound security group rules to manage access to or from cloud computers based on your business requirements. The following procedure describes how to configure a security group rule:
- Log on to the WUYING Workspace console.
- In the upper-left corner of the top navigation bar, select a region.
- In the left-side navigation pane, choose .
On the Policies page, click Create Policy. Then, follow the on-screen instructions to configure the Policy Name parameter.
On the Create Policy panel, click the Security Group Control tab.
On the Security Group Control tab, use one of the following methods to configure the security control methods for cloud computers.
NoteYou can add up to 200 security group rules to a policy. When you add a security group rule, we recommend that you follow the principle of least privilege and grant permissions on a specific IP address and port. Proceed with caution when you grant permissions on CIDR blocks such as 0.0.0.0/0 and on large port ranges such as 1/65535.
The imported rules do not overwrite existing rules. If the maximum number of rules is reached, the excess rules cannot be imported.
Manual entry
Click Add Security Group Rule.
Configure parameters for the rule.
Parameter
Description
Direction
Options:
Inbound: controls whether to allow requests that are destined for the cloud computer.
Outbound: controls whether to allow requests that originate from the cloud computer.
Authorization Policy
Specifies whether to allow or deny access requests.
Allow: allows access requests.
Deny: denies access requests, drops data packets, and returns no responses.
Priority
Valid values: 1 to 60. A smaller value specifies a higher priority. For rules of the same type, the rule that has the highest priority takes effect.
Protocol Type
Valid values: Custom TCP, Custom UDP, Custom ICMP (IPv4), and All GRE. Select a value based on your business requirements.
Port Range
The ports that are allowed for applications or protocols. If you set Protocol Type to Custom TCP or Custom UDP, you can specify a port number such as 80 or a port range such as 1/80.
For more information, see Common ports.
Authorization Object
The IPv4 CIDR block. You can specify a value for the CIDR Block parameter based on your business requirements.
Description
The description of the rule.
Actions
The action that you can perform on the rule. In the Actions column of a security group rule, you can edit, copy, or delete the rule.
Batch entry
Use one of the following methods to prepare the file that contains the information about the security group rules:
Click Export Security Group Rule. Modify and save the security group rules based on your business requirements.
Use Microsoft Excel to enter security group rules and save the file as a CSV file.
Click Import Security Group Rule.
In the Import Security Group Rule dialog box that appears, click Select File and select the CSV file that contains the information about the security group rules.
After you upload the CSV file, the fields for the security group rules in the file are automatically populated. After you import the file, you can check whether the security group rules are successfully imported. If the import fails, check whether the information about the security group rules in the CSV file complies with the format requirements.
Click Create.
After the policy is created, you can view the policy information on the Policies page and the status of the policy is Available.
The imported rules do not overwrite existing rules. If the maximum number of rules is reached, the excess rules cannot be imported.
What to do next
If you want to modify a security group control rule, you can modify a single rule or modify the security group rule file and import the modified file.
By default, cloud computers deny all inbound access requests and allow all outbound access requests. Each cloud computer has a default outbound rule that allows all outbound traffic. The outbound rule that you add may conflict with the default rule. If the rule that you add conflicts with the default rule, adjust the priority of the default rule based on the office network to which your cloud computer belongs. If you do not adjust the priority of the default rule, the rule that you add may not take effect.
If your office network is of the latest version and has an ID that is in the <Region ID>+dir+<10-digit string> format, the rule that you add takes effect immediately because the default rule has the lowest priority.
If your office network is upgraded from a directory of an earlier version and has an ID that is in the <Region ID>+dir+<17-character string that consists of letters and digits> format, you must manually adjust the priority of the default rule because the default rule has the highest priority. To adjust the priority of a rule, perform the following steps:
Find the office network to which the cloud computer belongs and click the office network ID.
On the office network details page, click the security group ID.
On the Security Groups page, click the security group ID.
On the Security Group Rules page, click the Outbound tab.
Adjust the priority of the rule.
We recommend that you set the priority to 60 to ensure that all outbound rules that you add take effect immediately.