Wiki source code of Security Group et les ACL
Last modified by Equipe Opération on 09 - 11 - 2018
Show last authors
| author | version | line-number | content |
|---|---|---|---|
| 1 | == Security Groups : what purpose ? == | ||
| 2 | |||
| 3 | A security group contains one or more security rules : | ||
| 4 | |||
| 5 | * The rules are wether on incoming traffic, or outgoing. | ||
| 6 | * Allows to authorize TCP/UDP/ICMP data packets from or to a CIDR or another security group | ||
| 7 | * The default rule allows a machine to contact and be contacted by any other machine in the same Security Group, and allows any outgoing traffic. | ||
| 8 | |||
| 9 | == VPC Peering == | ||
| 10 | |||
| 11 | VPC Peering is a feature which creates a link between to VPCs in Flexible Engine | ||
| 12 | |||
| 13 | * Works between local (same tenant) VPCs as well as remote ones (different tenants) | ||
| 14 | ** In both cases, the peering must be allowed and activated by both sides of the link | ||
| 15 | |||
| 16 | A VPC Peering is configured by setting routing rules specifying which CIDR can go through the peering. | ||
| 17 | |||
| 18 | Thoses rules must be on both sides of the peering, otherwise you might have networking issues | ||
| 19 | |||
| 20 | * A Multi-peering architecture can allows the centralization of multiple traffics. | ||
| 21 | |||
| 22 | (% style="text-align:center" %) | ||
| 23 | [[image:peering-VPC.png]] | ||
| 24 | |||
| 25 | == ACLs in VPC networking == | ||
| 26 | |||
| 27 | Network ACL (Access Control List) are an addition (and optionnal) layer of network security in a VPC which : | ||
| 28 | |||
| 29 | * Works like a firewall appliance contrôling network traffic going in or out of subnets | ||
| 30 | |||
| 31 | Network ACL use the same type of rules as Security Groups and can be used together. | ||
| 32 | |||
| 33 | * Creates a second security layer on top of Security Groups to globally restrict traffic | ||
| 34 | |||
| 35 | (% style="text-align:center" %) | ||
| 36 | [[image:ACL.png]] | ||
| 37 | |||
| 38 | Access List come in help of security groups. | ||
| 39 | |||
| 40 | * Fro example, to block entire CIDRs or protocole on a wide range of machines without having to set each of them with a security group. | ||
| 41 | * To restrict which IP in a company can access certain services, in the case of IT Cloud infrastructure | ||
| 42 | |||
| 43 | The ACL rules are applied on whole subnets in a VPC. | ||
| 44 | |||
| 45 | In the case of traffic between Cloud instances, for example through VPC peering, ACL allows to manage more precisely what is authorized and what is forbidden to go in other VPCs. | ||
| 46 | |||
| 47 | |||
| 48 | == ACL versus Security Groups == | ||
| 49 | |||
| 50 | |||
| 51 | (% border="1" %) | ||
| 52 | |(% style="background-color:#0099cd; text-align:center" %)(% style="color:#ffffff" %)**Security Groups**|(% style="background-color:#0099cd; text-align:center" %)(% style="color:#ffffff" %)**Network ACL** | ||
| 53 | |Works at the server level (first level of protection)|Works at the network level (Second level of protection) | ||
| 54 | |Applied automatically to an instance if the setting is activated, or afterwards when modifying the instance settings.|Applied automatically on all instances created on the affected subnets. ("safe" layer of security, as an instance can have wrong security groups.) | ||
| 55 | |Rules are on source IP **or** destination IP|Rules can be on source IP **and** destination IP | ||
| 56 | |(% colspan="2" style="text-align:center" %)Both are stateful : return traffic is allowed by default, unless explicitely forbidden. | ||
| 57 | |All rules are evaluated before making a decision on the packet|Rules are treated sequencially to determine is the traffic is allowed. |