Wiki source code of Security Group et les ACL
Last modified by Equipe Opération on 09 - 11 - 2018
Show last authors
author | version | line-number | content |
---|---|---|---|
1 | == Security Groups : what purpose ? == | ||
2 | |||
3 | A security group contains one or more security rules : | ||
4 | |||
5 | * The rules are wether on incoming traffic, or outgoing. | ||
6 | * Allows to authorize TCP/UDP/ICMP data packets from or to a CIDR or another security group | ||
7 | * The default rule allows a machine to contact and be contacted by any other machine in the same Security Group, and allows any outgoing traffic. | ||
8 | |||
9 | == VPC Peering == | ||
10 | |||
11 | VPC Peering is a feature which creates a link between to VPCs in Flexible Engine | ||
12 | |||
13 | * Works between local (same tenant) VPCs as well as remote ones (different tenants) | ||
14 | ** In both cases, the peering must be allowed and activated by both sides of the link | ||
15 | |||
16 | A VPC Peering is configured by setting routing rules specifying which CIDR can go through the peering. | ||
17 | |||
18 | Thoses rules must be on both sides of the peering, otherwise you might have networking issues | ||
19 | |||
20 | * A Multi-peering architecture can allows the centralization of multiple traffics. | ||
21 | |||
22 | (% style="text-align:center" %) | ||
23 | [[image:peering-VPC.png]] | ||
24 | |||
25 | == ACLs in VPC networking == | ||
26 | |||
27 | Network ACL (Access Control List) are an addition (and optionnal) layer of network security in a VPC which : | ||
28 | |||
29 | * Works like a firewall appliance contrôling network traffic going in or out of subnets | ||
30 | |||
31 | Network ACL use the same type of rules as Security Groups and can be used together. | ||
32 | |||
33 | * Creates a second security layer on top of Security Groups to globally restrict traffic | ||
34 | |||
35 | (% style="text-align:center" %) | ||
36 | [[image:ACL.png]] | ||
37 | |||
38 | Access List come in help of security groups. | ||
39 | |||
40 | * Fro example, to block entire CIDRs or protocole on a wide range of machines without having to set each of them with a security group. | ||
41 | * To restrict which IP in a company can access certain services, in the case of IT Cloud infrastructure | ||
42 | |||
43 | The ACL rules are applied on whole subnets in a VPC. | ||
44 | |||
45 | In the case of traffic between Cloud instances, for example through VPC peering, ACL allows to manage more precisely what is authorized and what is forbidden to go in other VPCs. | ||
46 | |||
47 | |||
48 | == ACL versus Security Groups == | ||
49 | |||
50 | |||
51 | (% border="1" %) | ||
52 | |(% style="background-color:#0099cd; text-align:center" %)(% style="color:#ffffff" %)**Security Groups**|(% style="background-color:#0099cd; text-align:center" %)(% style="color:#ffffff" %)**Network ACL** | ||
53 | |Works at the server level (first level of protection)|Works at the network level (Second level of protection) | ||
54 | |Applied automatically to an instance if the setting is activated, or afterwards when modifying the instance settings.|Applied automatically on all instances created on the affected subnets. ("safe" layer of security, as an instance can have wrong security groups.) | ||
55 | |Rules are on source IP **or** destination IP|Rules can be on source IP **and** destination IP | ||
56 | |(% colspan="2" style="text-align:center" %)Both are stateful : return traffic is allowed by default, unless explicitely forbidden. | ||
57 | |All rules are evaluated before making a decision on the packet|Rules are treated sequencially to determine is the traffic is allowed. |