All Products
Search
Document Center

Microservices Engine:Configure security group rules

Last Updated:Jan 09, 2024

Your cloud-native gateway and the node on which your backend service is deployed belong to different security groups. In this case, you can configure a security group rule to authorize your cloud-native gateway to access the backend service.

Background information

A security group acts as a virtual firewall to control the inbound and outbound traffic of Elastic Compute Service (ECS) instances and elastic network interfaces (ENIs). Security groups help improve the security of ECS instances. Security groups provide stateful packet inspection (SPI) and packet filtering capabilities. You can use security groups and security group rules to define security domains in the cloud. For more information, see Overview.

When you purchase a cloud-native gateway, you must select a virtual private cloud (VPC) and a security group type. We recommend that you select the same security group type as the security group to which your backend service belongs. Then, the cloud-native gateway creates a managed security group based on the security group type that you selected. The managed security group that is created is used to manage nodes of the cloud-native gateway. The cloud-native gateway and the node on which your backend service is deployed belong to different security groups. You must authorize the cloud-native gateway to access the backend service over a range of ports. Architecture

Step 1: Obtain the security group information of the node on which your backend service is deployed

Upstream services that are associated with a cloud-native gateway are mainly deployed in a container cluster or on an Elastic Compute Service (ECS) instance. This section describes how to obtain the security group ID.

Backend service deployed in a container cluster

  1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

  2. Obtain the ID of the security group.

    • If your backend service is deployed in a Container Service for Kubernetes (ACK) serverless cluster, perform the following operations:

      1. On the Clusters page, click the name of the cluster that you want to manage and click Cluster Information in the left-side navigation pane.

      2. On the Cluster Information page, click the Cluster Resources tab and obtain the ID of the security group.

        容器安全组.png

    • If your backend service is deployed in an ACK cluster, perform the following operations:

      1. On the Clusters page, click the name of the cluster that you want to manage and choose Nodes > Node Pools in the left-side navigation pane.

      2. On the Node Pools page, click the desired node. On the Overview tab, obtain the ID of the security group.

Backend service deployed on an ECS instance

  1. Log on to the ECS console.

  2. In the left-side navigation pane, choose Instances & Images > Instances.

  3. On the Instance page, click the ECS instance on which your backend service is deployed. On the Security Groups tab, obtain the ID of the security group.

    ecs安全组.png

Step 2: Add a security group rule

  1. Log on to the MSE console.

  2. In the left-side navigation pane, choose Cloud-native Gateway > Gateways. In the top navigation bar, select a region.

  3. On the Gateways page, click the name of your cloud-native gateway. In the left-side navigation pane, click Overview. On the page that appears, click the Security Group Authorization tab.

  4. Click Add Security Group Rule. Copy the security group ID obtained in Step 1 to the Security Group ID field and select the security group that appears.

  5. Enter port ranges in the Start port/End port format.

    You can enter multiple port ranges. Each time you enter a port range, press Enter to validate the setting.

  6. Click Save.

    A security group rule is generated on the cloud-native gateway.

    You can also view the security group rule in the security group of the node on which your backend service is deployed.

Delete a security group rule

  1. Log on to the MSE console.

  2. In the left-side navigation pane, choose Cloud-native Gateway > Gateways. In the top navigation bar, select a region.

  3. On the Gateways page, click the name of the gateway.

  4. In the left-side navigation pane, click Overview. On the page that appears, click the Add Security Group Rule tab. Find the security group rule that you want to delete, and click Delete in the Actions column. In the message that appears, click OK.

Important

By default, the security group rule is deleted from the cloud-native gateway. If you also want to delete the security group rule from the node on which the service is deployed, select The preceding inbound rules in the security group are also deleted in the message that appears.

FAQ

Why cannot I access a service from a cloud-native gateway after I configure a security group rule?

Perform the following steps:

  1. Check whether the node for which you configure the security group rule is the node on which the service is deployed.

    For example, the service is deployed on Node A, but you configure the security group rule for Node B.

  2. Check whether multiple security groups are configured for your service node.

    If multiple security groups are configured for your service node, we recommend that you configure a security group rule for each security group.

I configured a security group rule for a cloud-native gateway to access a service and the access was successful. However, the access fails now. Why?

Perform the following steps:

  1. Check whether your service is normal.

    You can run the curl command on other nodes in the same security group to check the connectivity of the service.

  2. Check whether the exposed port of the service is changed.

    For example, the exposed port is changed from 8080 to 8081 but only port 8080 is authorized. In this case, you need to change the port number in the security group rule. To prevent this issue, we recommend that you set Port Range to 1/65535 when you create the security group rule.