Security Group
With TWSC Security Group, you can control the network security of the VCS instances and load balancers by setting security rules to manage the ingress and egress traffic (network segments, protocols, or ports).
- Security Group is designed to set individual security rules for VCS instances or load balancers. Therefore, at least one available VCS instance or load balancer must be created before setting its security group rules.
- The security group management procedures are different in VCS instances and load balancers. The security group lifecycle is independent of the VCS instances while dependent on load balancers. See Security Group - VCS instances and Security Group - Load balancers for detailed management procedure.
- For the permission differences between a Tenant Admin and a Tenant User when using VCS instances, please refer to User roles and permissions.
Security Group - VCS instances
When creating a VCS instance, you can specify a default security group1, or select custom existing security groups to the instance, and manage security groups and rules on the Security Group Management page.
1The maximum limit for security groups in a single project is 200. If you are unable to create one, it could be because you have reached the maximum limit. We recommend selecting an existing security group if you have previously created any, to minimize the creation of new ones.
Default security group and rules
The system creates a default security group and rules for you through the following two procedures, and you can [create rules](# Create Security Groups and Rules) when you need more.
- Select Create Security Group when creating a VCS instance will generate and assign a default security group consisting of the rules below to the instance. The naming convention of the default security group:
{instance_id}_{instance_name}_sg.
Default security group rules of VCS instances
- The default ingress/egress rules of TWSC Linux instances:
| Direction | Internet protocol | Port (minimum) | Port (maximum) | Protocol | CIDR |
|---|---|---|---|---|---|
| ingress | IPv4 | 443 | 443 | tcp | 0.0.0.0/0 |
| ingress | IPv4 | 22 | 22 | tcp | 0.0.0.0/0 |
| egress | IPv4 | ANY | 0.0.0.0/0 | ||
| ingress | IPv4 | icmp | 0.0.0.0/0 | ||
| egress | IPv6 | ANY | ::/0 |
- The default ingress/egress rules of TWSC Windows instances:
| Direction | Internet protocol | Port (minimum) | Port (maximum) | Protocol | CIDR |
|---|---|---|---|---|---|
| ingress | IPv4 | 9833 | 9833 | tcp | 0.0.0.0/0 |
| ingress | IPv4 | 443 | 443 | tcp | 0.0.0.0/0 |
| ingress | IPv4 | 22 | 22 | tcp | 0.0.0.0/0 |
| egress | IPv4 | ANY | 0.0.0.0/0 | ||
| ingress | IPv4 | icmp | 0.0.0.0/0 | ||
| egress | IPv6 | ANY | ::/0 |
Due to frequent security incidents, we will disable your remote connection to Windows instances (port: 9833) if your connection is from the following countries: China, Germany, France, South Korea, the Netherlands, Poland, and Russia.
To connect to TWSC Windows instances from the countries above, please contact Customer Service.
- When creating a security group and rules in the Security Group Management page without specifying rules, the following rules of outbound traffic to the Internet will open automatically.
| Direction | Internet protocol | Port (minimum) | Port (maximum) | Protocol | CIDR |
|---|---|---|---|---|---|
| egress | IPv4 | ANY | 0.0.0.0/0 | ||
| egress | IPv6 | ANY | ::/0 |
We recommend that you DO NOT delete the default "egress" rule. Deleting it may lead to connection failure of your VCS instance.
View a security group and rules
- TWSC Portal
- TWCC CLI (TBD)
- Go to VCS Instance Management page > Select Network & Security > Security Group, then you can view security groups on the Security Group Management」page. Select a security group to view the rules included.
Create a security group and rules
Please note that the limit for creating security group rules is 30 times per minute. If this limit is exceeded, the creation will fail.
- TWSC Portal
- TWCC CLI (TBD)
- Follow steps in View a security group and rules, go to VCS Security Group Management page, and click +CREATE to create a new security group and rules.
- On the Create Security Group page, you can specify a name and description for the security group.
- Click NEXT: RULE>, configure the security group rules, and then click NEXT: REVIEW & CREATE>.
- Direction: Select ingress or egress.
- Port Range (Min): Set the beginning port to which this rule applies.
- Port Range (Max): Set the ending port to which this rule applies.
- Protocol: Select the protocol, such as tcp, udp, icm, etc.
- CIDR: Specify the CIDR range of this rule applies on the VCS instance.
- Considering information security risk, please do not set the CIDR to the insecure network segment of
x.x.x.x/0except for0.0.0.0/0. - Please set the port range carefully. To avoid the risk of intrusions, it is not recommended to set the ingress port range from 0 to 65535.
- Review your security group rule settings and the estimated cost, and then click CREATE.
- Once created, the new security group will be displayed in the list. Security group rules will include the new rules you specified and the default rules.
Delete a security group and rules
- TWSC Portal
- TWCC CLI (TBD)
Follow steps in View a security group and rules, go to VCS Security Group Management page > Select groups > click the DELETE above
Or click the menu button on the right side of the group, and click DELETE.。
- The security groups of a VCS instance are not affected by the lifecycle of the instance. Therefore, once the instance is deleted, you can still view and manage the security groups and rules on the Security Group Management page.
- Remove the associated security groups from an instance on the VCS Instance Details page before you can delete the security groups.
Associate/disassociate a security group to/from a VCS instance
Following the steps below, you can associate or disassociate an existing security group to/from a VCS instance:
- When creating a VCS instance, select and associate existing custom security groups to the instance.
- Afte creating a VCS instance, go to VCS Instance Details page, select and add security groups to the instance, or delete associated security group.
You can associate one security group to multiple VCS instances.
Security Group - Load balancers
View security group rules
- TWSC Portal
- TWCC CLI (TBD)
- Select Load Balancing Service from the service list > Select Security Group below to go to the Security Group Management (Load balancers) page.
- Select a load balancer, then the current security group rules will be displayed on the Security Group Rules Management page.
Default security group rules of load balancers
- The default ingress/egress rules of TWCC Application Load Balancers (HTTP listener):
| Direction | Internet protocol | Port (minimum) | Port (maximum) | Protocol | CIDR |
|---|---|---|---|---|---|
| ingress | IPv4 | 80 | 80 | tcp | 0.0.0.0/0 |
| ingress | IPv4 | 1025 | 1025 | tcp | 0.0.0.0/0 |
| ingress | IPv4 | 51 (ah) | 0.0.0.0/0 | ||
| ingress | IPv4 | 112 (vrrp) | 0.0.0.0/0 | ||
| egress | IPv4 | ANY | 0.0.0.0/0 | ||
| egress | IPv6 | ANY | ::/0 |
- The default ingress/egress rules of TWCC Application Load Balancers (HTTPS listener) and Network Load Balancer (TCP listener):
| Direction | Internet protocol | Port (minimum) | Port (maximum) | Protocol | CIDR |
|---|---|---|---|---|---|
| ingress | IPv4 | 443 | 443 | tcp | 0.0.0.0/0 |
| ingress | IPv4 | 1025 | 1025 | tcp | 0.0.0.0/0 |
| ingress | IPv4 | 51 (ah) | 0.0.0.0/0 | ||
| ingress | IPv4 | 112 (vrrp) | 0.0.0.0/0 | ||
| egress | IPv4 | ANY | 0.0.0.0/0 | ||
| egress | IPv6 | ANY | ::/0 |
Create a security group rule
- TWSC Portal
- TWCC CLI
- Follow steps in View security group rules, go to Security Group Rules Management page, and click +CREATE to create a new security group rule.
- Configure the security group rules on the Create Security Group Rules page, and then click NEXT: REVIEW & CREATE> when you have done.
- Direction: Select ingress or egress.
- Port Range (Min): Set the beginning port to which this rule applies.
- Port Range (Max): Set the ending port to which this rule applies.
- Protocol: Select the protocol, such as tcp, udp, icm, etc.
- CIDR: Specify the CIDR range of this rule applies on the load balancer.
- Review your security group rule settings and the estimated cost, and then click CREATE.
- Once created, the new security group rule will be displayed in the list.
- Considering information security risk, please do not set the CIDR to the insecure network segment of
x.x.x.x/0except for0.0.0.0/0. - Please set the port range carefully. To avoid the risk of intrusions, it is not recommended to set the ingress port range from 0 to 65535.
Delete a security rule
- TWSC Portal
- TWCC CLI (TBD)
Follow steps in View security group rules, go to Security Group Rules Management page > Select rules> click DELETE above.
- Or click the menu button on the right side of the rule, and click DELETE.