Security Group
KakaoCloud Security Groups act like virtual firewalls, allowing you to control the incoming and outgoing traffic at the instance level. You can configure security groups for the default network interface automatically created when an instance is created or when a network interface is created separately. For all instance types except Bare Metal Server instances, at least one security group must be set per network interface.
Security groups are primarily divided into inbound and outbound rules, and each rule controls the traffic based on protocols, source or destination CIDR ranges, and port numbers. Appropriate security group rules should be set based on the security requirements of the user.
How Security groups works
The working principle of security groups is as follows:
| Functionality | Description |
|---|---|
| Whitelist-based | By default, security groups deny all traffic that is not explicitly allowed by the rules. You cannot set deny rules. Security groups work by allowing traffic explicitly set in the rules. |
| Stateful | Security groups are stateful. This means that if an incoming packet (request) is allowed by a rule, the response (reply) traffic is automatically allowed, regardless of rules. Similarly, traffic in the reverse direction is also automatically allowed. |
| Multi-instance/Network Interface Support | A single security group can be applied to multiple instances and network interfaces. |
| Multiple Security Groups Support | Multiple security groups can be applied to a single instance or network interface. |
| Multiple Security Group Copy Support | You can copy a security group to quickly create multiple security groups with the same inbound and outbound rules. |
Security group basics
- Security groups operate on a whitelist basis. Any traffic that is not defined by a rule is automatically denied.
- Security groups operate in a stateful manner.
- When adding, removing, or updating the rules of a security group, these changes are automatically applied to all associated resources. However, the changes will only take effect after the allowed packet time expires for existing connections.
- There are quota limits on the number of security groups that can be created per project, and the number of rules that can be set in each security group. For detailed information, refer to the Service Pricing and Quotas document.
Security group rules
Security group rules are divided into inbound and outbound rules. Inbound rules define the rules for incoming traffic to resources connected to the security group, while outbound rules define the rules for outgoing traffic from these resources. Each rule consists of the following fields:
| Item | Description |
|---|---|
| Protocol | The protocol for the rule (e.g., TCP, UDP, ICMP, ALL) |
| Source or Destination | The source IP address range (for inbound) or destination IP address range (for outbound) |
| Port Number | The port to which the rule applies |
| Rule Description | A description of the rule |
Security Group Rule Examples
Rules added to a security group are typically defined to match the purpose of the security group. The following table provides an example of rules for a security group connected to a web server. The web server is allowed to receive HTTP and HTTPS traffic, and can send SQL or MySQL traffic to a database server.
Inbound Rules
| Protocol | Source | Port Number | Description |
|---|---|---|---|
| TCP | 0.0.0.0/0 | 80 | Allow all HTTP access |
| TCP | 0.0.0.0/0 | 443 | Allow all HTTPS access |
| TCP | Web server's public IP CIDR range | 22 | Allow SSH access to this web server instance |
| TCP | Web server's public IP CIDR range | 3389 | Allow RDP access to this web server instance |
Since HTTP and HTTPS communication uses TCP at the network layer, you need to allow these protocols in the security group rules. Also, since they use ports 80 and 443, you must add these ports in the rules. Additionally, depending on the web server's operating system, port 22 (SSH) or port 3389 (RDP) must be allowed to connect directly to the server.
Outbound Rules
| Protocol | Destination | Port Number | Description |
|---|---|---|---|
| TCP | SQL Database Server's IP CIDR range | 1433 | Allow access to Microsoft SQL Server |
| TCP | MySQL Database Server's IP CIDR range | 3306 | Allow access to MySQL Server |
Since the web server needs to access SQL and MySQL database servers, outbound rules are added to allow this access.
- To reduce the risk of errors, minimize the number of security groups created. Use each security group to manage access for resources with similar security requirements.
- When adding inbound rules for SSH (port 22) or RDP (port 3389) access to BCS instances, ensure that only specific IP address ranges are granted access.
- Avoid opening large port ranges. Limit access for each port to only the source or destination that requires it.
Default security group
A default security group named default is automatically created for every project, and it has the following inbound and outbound rules. The default security group can be modified as needed, but it cannot be deleted.
The default security group rules are as follows:
Inbound rules
| Protocol | Source | Port Number | Description |
|---|---|---|---|
TCP | @default | ALL | Allow inbound traffic from resources assigned to the same security group |
Outbound rules
| Protocol | Destination | Port Number | Description |
|---|---|---|---|
ALL | 0.0.0.0/0 | ALL | Allow all outbound traffic |
Custom security group
Users can create multiple security groups reflecting various roles performed by instances. The name of a custom security group must be unique within the VPC.
The following are the default rules for security groups that are created.
Inbound rules
No inbound rules are registered (traffic is not allowed).
Outbound rules
| Protocol | Destination | Port Number | Description |
|---|---|---|---|
ALL | 0.0.0.0/0 | ALL | Allow all outbound traffic |
When using only custom security groups (excluding the default security group), instances in that VPC will not be able to access metadata. To enable metadata access, add the following outbound rule.
| Protocol | Destination | Port Number | Description |
|---|---|---|---|
TCP | 169.254.169.0/24 | 80 | Rule for metadata access |