Wednesday, 12 February 2014

Security Groups


Security Groups are like ip filter rules that are applied to an instances networking.When an instance is launched one more Security Groups are applied on it. The rules within the security groups determine what traffic is allowed for that instance. Rules from all Security Groups associated to the instance are evaluated to determine if traffic can be allowed to or from that instance.


A network by the name "test_net" having two VMS attached to it namely "test_1" and "test_2"
We are using LinuxBridge with VLAN Networking enabled. 

The output from "brctl-show" is as follows

Creation of Security Group

Create a security-group having rules to allow all kind of traffic in both directions (ingress,egress).

Associate security group with VM instances

Now associate "TEST_SEC_GROUP_ALLOW_ALL" to both the VM instances test_1 and test_2

Communication between the two VM instances 

Ping as well as ssh is possible between the two VM instances as the applied security group is the least restrictive.

Security group that allows only SSH

Create security group that allows only incoming SSH traffic, associate it to both VM instances.
Note: Remove the earlier security group from the VM instances. SSH means TCP on port 22.

Communication between VM's

We observe that VM's can communicate only using SSH, ping between the VM's fails.

Under the hood

"IP tables" are utilized to enforce Security Groups on the tap interfaces connected to the VM instances.
Here the rule "-A neutron-linuxbri-i3ab26719-5 -p tcp -m tcp --dport 22 -j RETURN"  accepts TCP traffic on destination port 22(SSH)

No comments:

Post a Comment