Add a security group to a different security group.
Table of Contents
When you add a security group to another security group (including to itself), you create a firewall rule that will allow servers of the other security group to communicate on the private IP network. Typically, server-server communication on the private IP network is only available if both servers are located in the same cloud/region. Whereas communication between two servers located in different clouds/regions must be performed over the public IP network.
If you are setting up an application stack in a cloud infrastructure that consists of multiple tiers and servers, use the "Add Group" option for additional security. Instead of opening a port to any IP address, you can use a more restrictive setting that only allows a designated group(s) of servers to make successful requests, as well as ensure that they communicate with each other over the private (not public) IP network for faster and more secure communication.
For example, if you have separate application and database server tiers, the database tier should only be accessible by other database servers (e.g. mirroring/synchronization) and to application servers that need to connect to the database.
The following clouds support the use of security groups:
* Security groups for these clouds are configured with Network Manager. To create firewall rules, see Create a New Firewall Rule.
First, you must determine which types of communications are necessary between servers in your configuration.
The following sample scenario includes one security group with public-facing web servers and another security group containing MySQL database servers that are not publicly accessible. The web servers must make requests to the MySQL database; however, the database servers never need to initiate communications with the web servers.
The cloud account user. For AWS, the 'owner' is defined by the AWS account number (e.g. 1234-1234-1234). For a CloudStack private cloud, the 'owner' is the 'user' that was created and used to generated the cloud token. If you do not know the 'user' name, contact the cloud's system administrator.
© 2006-2014 RightScale, Inc. All rights reserved.
RightScale is a registered trademark of RightScale, Inc. All other products and services may be trademarks or servicemarks of their respective owners.