Background introduction
The default network connectivity policy of a security group is: instances in the same security group can communicate with each other on the network, and instances in different security groups cannot communicate on the intranet by default. This strategy meets the needs of the vast majority of customers, but there are also a small number of customers who want to change the security group network connectivity strategy. The networks in the same security group are isolated rather than interconnected, which can greatly reduce the number of security groups and thus reduce maintenance. and the cost of managing security groups. Based on the demands of these customers, we have enriched the security group network connectivity strategy to support network isolation within the security group. To use this feature, you need to first understand some details of network isolation within a security group:
Some Notes on Network Isolation in Security Groups
- The granularity of isolation is the NIC instead of the ECS instance. If the ECS instance is mounted with multiple NICs, special attention should be paid to this.
- The default network connectivity policy of the security group will not be changed. The default network connectivity policy is still network **intercommunication** between instances in the same security group, and instances in different security groups cannot communicate with the internal network by default. The new function just provides you with a means to modify the network connectivity policy, so the new function will not have any effect on your existing security groups or on your newly created security groups.
- The principle of isolation first
- The security group set as "isolated" within the group has a higher priority than the "interconnected" security group, so if two instances belong to the "isolated" security group, the network between the two instances must not be connected. reachable, regardless of whether they also belong to the "interworking" security group.
- A security group that is set as "isolated" within a group has a higher priority than all user-defined ACLs. Therefore, the isolated security group must be unreachable between instances in the group. Even adding an ACL that allows access will not work.
- Network isolation is limited to instances (NICs) in the current group. Assuming that the current security group is G1, the network in the group is set to "Isolation", vm1 and vm2 belong to G1, vm2 and vm3 belong to G2, and the intra-group network of G2 is interconnected, then vm1 and vm2 belong to G2. The vm2 network is unreachable, but the network between vm2 and vm3 is reachable.
In order to better understand the constraints and limitations of the network Gree in the security group, a typical example is given below (for the purpose of expression, it is assumed that an instance has only one network card, so network card isolation is equivalent to instance isolation), The relationship between an instance and the security group to which the instance belongs is shown in the following figure:
The network connectivity policies within the security group are as follows:
In this example, the network connectivity between the instances is as follows:
Modifying the network connectivity policy API in a security group
关于此功能的API细节,请参考ModifySecurityGroupPolicy
本文为云栖社区原创内容,未经允许不得转载,如需转载请发送邮件至[email protected]