Introduction
Security Groups are like ip filter rules that are applied to an instances networking.When an instance is launched one more Security Groups are applied on it. The rules within the security groups determine what traffic is allowed for that instance. Rules from all Security Groups associated to the instance are evaluated to determine if traffic can be allowed to or from that instance.
Setup
A network by the name "test_net" having two VMS attached to it namely "test_1" and "test_2"
We are using LinuxBridge with VLAN Networking enabled.
The output from "brctl-show" is as follows
Creation of Security Group
Create a security-group having rules to allow all kind of traffic in both directions (ingress,egress).
Associate security group with VM instances
Now associate "TEST_SEC_GROUP_ALLOW_ALL" to both the VM instances test_1 and test_2Communication between the two VM instances
Ping as well as ssh is possible between the two VM instances as the applied security group is the least restrictive.
Security group that allows only SSH
Create security group that allows only incoming SSH traffic, associate it to both VM instances.
Note: Remove the earlier security group from the VM instances. SSH means TCP on port 22.
Communication between VM's
We observe that VM's can communicate only using SSH, ping between the VM's fails.
Under the hood
"IP tables" are utilized to enforce Security Groups on the tap interfaces connected to the VM instances.
Here the rule "-A neutron-linuxbri-i3ab26719-5 -p tcp -m tcp --dport 22 -j RETURN" accepts TCP traffic on destination port 22(SSH)
Here the rule "-A neutron-linuxbri-i3ab26719-5 -p tcp -m tcp --dport 22 -j RETURN" accepts TCP traffic on destination port 22(SSH)
No comments:
Post a Comment