Arcfra logoDocs
Search Docs...
⌘ K
OverviewDeploymentManagementOperationReferenceGlossary
    ACOS 6.2.0
  • Acrfra Cloud Operation System cluster>
  • ACOS operations and maintenance>
  • For clusters

Updating the port access control

To ensure secure access to hosts in the cluster, you can check the ports used by internal host services and the internal service usages, and configure access restrictions on the SSH and SNMP service ports. Allow access only from specified IPs to achieve minimal access control and protect against external network attacks.

Order of rule application

The order in which access control rules take effect after configuration is as follows:

  1. All IP addresses within the storage network segment: can communicate through any port.
  2. Other IP addresses such as the management IP and migration IP within the host:
    • Ports with access restrictions configured: only specified IPs are allowed to access.
    • Ports without access restrictions configured: all IPs are allowed to access.
  3. Unused internal service ports: ports are closed and inaccessible.

Precaution

  • If you have manually configured security rules on the host using iptables, you must clear all configured rules before enabling port access control. Otherwise, rule conflicts may cause the configuration to take no effect.
  • After adding a new host to the cluster, to ensure proper operation of cluster services, reconfigure the storage subnet rules to make sure the storage IP address of the new host falls within the defined storage subnet range. By default, a newly added host allows all IP addresses to access its service ports. You can configure IP allowlists for the service ports of the host as needed.

Procedure

  1. Click a cluster to access its page, then select Settings from the tab bar, and select Port access control.

  2. Enable the access restriction feature in the Access control area.

    1. Click Edit.
    2. Enable Access restriction and add Storage access network segment.
      • For ACOS (AVE) clusters, ensure that all hosts' storage IPs are included within the storage network segment range.
      • For ACOS (VMware ESXi) clusters, ensure that all SCVM storage IPs and ESXi storage IPs are included within the storage network segment range.
    3. Click Save.

  3. In the Service port area, set the IP allowlist for SNMP or SSH service ports.

    1. Click Edit.
    2. Select one of the following configuration methods:
      • By cluster: Apply the same IP allowlist to all hosts in the cluster. The allowlist will be uniformly distributed to all hosts after it is set.
      • By host: Configure a different IP allowlist for each host in the cluster individually.
    3. Set up the IP allowlist. When selecting By host as the configuration method, you need to configure the IP allowlist for each host. Batch filling is supported.
      • Deny all: Deny all IP addresses from accessing the service ports of this host.
      • Allow specified IP: Allow specified IP addresses to access the service ports of this host. Click + Add to add multiple IP addresses, IP address ranges, or CIDR blocks.
      • Allow all: Allow all IP addresses to access the service ports of this host.
    4. Click Save.

Related steps

When you no longer need the port access control feature, you can manually disable it. Once disabled, all security rules on the hosts in the cluster will be cleared, and all service ports will be accessible from any IP address.