Arcfra logoDocs
API Doc
Search Docs...
⌘ K
OverviewDeploymentManagementOperationReferenceGlossary

Setting security policies in a VPC

The VPC security policy uses the virtual machines in the security group as policy objects to control their ingress and egress traffic.

The security policy in VPC is only effective for vNICs associated with the current VPC. If a virtual machine is associated with multiple VPCs, the vNICs associated with other VPCs are not managed by the current VPC security policy.

Security policy rule

  • When virtual machines in a VPC are not policy objects of any security policy, they can communicate with the outside of the VPC by default. When a virtual machine joins any security policy, it can only communicate with the set ingress and egress allowlists.

  • When multiple VPC security policies are applied to a virtual machine, these policies are combined to jointly control the virtual machine's traffic. That is, if any policy allows traffic through the virtual machine, the traffic is permitted.

  • If either the egress or ingress traffic of a VPC security policy is set to Allow all, even if Disallow communication between policy objects is configured, virtual machines within the policy object can still communicate with each other. If a virtual machine from a policy object exists in either the egress or ingress allowlist, even if Disallow communication between policy objects is configured, that virtual machine can still communicate unidirectionally or bidirectionally with other virtual machines in the group.

Creating a security policy in a VPC

Prerequisite

A VPC has been created.

Procedure

  1. Enter the AOC Network and security page, and click Security service in the left sidebar.

  2. Click + Action > Create security policy.

  3. Set the basic information of the security policy according to the following parameter descriptions, then click Next.

    Parameter Description
    Name The name of the security policy, which must be unique within the same VPC.
    Description (optional) The description of the security policy, which you can fill in as needed.
    Arcfra Network Service

    The ANS service to which the security policy belongs.

    Only ANS services with VPC functionality enabled can be selected.
    VPC

    The VPC to which the security policy belongs.

    Only VPCs already created in the current ANS service can be selected.

  4. Add policy objects, which means adding virtual machines to apply the security policy by security groups.

    1. Click + Add policy object.

    2. Search and select the created security group in VPC, or you can click + Create security group to quickly create a security group in a VPC.

    3. Set whether to allow communication between virtual machines within the selected security group.

    4. Click Add.

      After adding, you can continue to add multiple policy objects as needed. Multiple policy objects have a logical OR relationship, meaning that virtual machines included in any policy object will be treated as policy objects of this security policy and apply the relevant security rules.

      Click the ellipsis (...) on the right side of the added policy object to edit or delete it.

  5. Click the dropdown box after Ingress traffic to set the ingress traffic for policy objects.

    • Allow all: Allow policy objects to receive all ingress traffic.

    • Allowlist only: Only allow policy objects to receive ingress traffic from the allowlists.

      Click + Add allowlist, and you can choose how to add allowlist in the dropdown box.

      Note:

      • In one policy, you can add multiple allowlists, and each allowlist can be added by labels, IP addresses, or a security group. For example, one allowlist can be added by a security group and another by labels.
      • The relationship between multiple allowlists is a logical OR, meaning that virtual machines or IP addresses included in any allowlist can apply the relevant security rules and communicate with the policy objects.
      • If the allowlist is left empty, it indicates that all ingress traffic is prohibited.

      • Add by label: Filter virtual machines that can access the policy objects by labels. You need to associate labels with virtual machines in advance. When selecting multiple labels, the virtual machine filtering logic is logical AND, meaning that the filtered virtual machines are those associated with all selected labels. You can also specify the allowed protocols and ports. If there's no need to restrict protocols, you can select any protocol.

      • Add by security group: Select the created security group in VPC that can access the policy objects, or you can directly create a security group in a VPC. You can also specify the allowed protocols and ports. If there's no need to restrict protocols, you can select any protocol.

      • IP Address: Enter an IP address or CIDR block to specify the allowlist. After entering a CIDR block, you can click the ellipsis (...) on the right side of the input box to exclude specific IP addresses or CIDR blocks from the allowlist and specify allowed protocols and ports. If there's no need to restrict protocols, you can select any protocol.

      If you want to edit or delete an allowlist, click the ellipsis (...) on the right side of the added allowlist.

  6. Refer to the instructions in the previous step to set the egress traffic for the policy object, then click Next.

  7. Set the policy mode.

    If Policy mode is enabled, the security policy will take effect immediately after creation; if Policy mode is not enabled, the security policy will not take effect immediately after creation, and you can later enable it by editing the policy mode.

  8. Click Create.

    After creation, you can view the information of all security policies in the Security policy in VPC list.

    • Click on the name link of a security policy in VPC to view its details.

    • Click on the name link of the Arcfra Network Service to view its basic information.

    • Click the export report icon in the upper right corner of the Security policy in VPC list to export the list as a .csv file and save it locally.

Editing or deleting a security policy in a VPC

Precaution

Editing the Arcfra Network Service and VPC of a security policy is not supported.

Procedure

  1. Enter the AOC Network and security page, click Security service in the left sidebar, and you'll be directed to the Security group in VPC page by default.

  2. Click the Security policy in VPC tab, find the security policy you want to edit in the list, click the ellipsis (...), and edit the following content as needed.

    • Edit policy: Edit the policy objects, ingress allowlists, or egress allowlists of the security policy.
    • Edit policy mode: Edit the mode of the security policy, you can enable or disable the policy as needed.
    • Edit name and description: Edit the name and description of the security policy.

    You can also click on a security policy in the list, then click Edit policy in the opened details panel, or click the ellipsis (...) and choose Edit policy mode and Edit name and description.

  3. Find the security policy you want to delete in the list, click the ellipsis (...) and select Delete; or click on the security policy you want to delete, then click the ellipsis (...) and select Delete on the details panel.

In this article