Add a Security Group to another Security Group
Objective
Add a security group to a different security group.
Table of Contents
Overview
When you add a security group to another security group (including to itself), you create a firewall rule that will allow servers of the other security group to communicate on the private IP network. Typically, server-server communication on the private IP network is only available if both servers are located in the same cloud/region. Whereas communication between two servers located in different clouds/regions must be performed over the public IP network.
If you are setting up an application stack in a cloud infrastructure that consists of multiple tiers and servers, use the "Add Group" option for additional security. Instead of opening a port to any IP address, you can use a more restrictive setting that only allows a designated group(s) of servers to make successful requests, as well as ensure that they communicate with each other over the private (not public) IP network for faster and more secure communication.
For example, if you have separate application and database server tiers, the database tier should only be accessible by other database servers (e.g. mirroring/synchronization) and to application servers that need to connect to the database.
The following clouds support the use of security groups:
- Amazon EC2*
- OpenStack*
- CloudStack
- Google Compute Engine
* Security groups for these clouds are configured with Network Manager. To create firewall rules, see Create a New Firewall Rule.
Prerequisites
- Adding and editing security groups requires the 'security_manager' role. See User Role Privileges.
- RightScale account with valid cloud credentials for Google and/or CloudStack.
- In order to add a security group, you must know the "owner" that created the security group as well as the exact name.
- An existing security group. If you need to create one, see Create a New Security Group.
Steps
Determine Which Servers Can Initiate Communications
First, you must determine which types of communications are necessary between servers in your configuration.
The following sample scenario includes one security group with public-facing web servers and another security group containing MySQL database servers that are not publicly accessible. The web servers must make requests to the MySQL database; however, the database servers never need to initiate communications with the web servers.
Add Group Rule
- Open the security group that you need to edit (Clouds -> CloudName -> Security Groups) and go to the "Permissions" section under the Info tab.
-
Owner -
The cloud account user. For AWS, the 'owner' is defined by the AWS account number (e.g. 1234-1234-1234). For a CloudStack private cloud, the 'owner' is the 'user' that was created and used to generated the cloud token. If you do not know the 'user' name, contact the cloud's system administrator.
- CloudStack - Specify the username that was used to create the OpenStack cloud account. (e.g. my-company)
- Google - N/A
-
Group - The security group you want to add a rule for in the current security group. Note: You can add a security group to itself.
- CloudStack - Enter the name of the security group you wish to add. (e.g. 3tier-db) You cannot use the 'Resource UID'.
- Google - Enter the 'Resource UID' of the security group you wish to add. (e.g. sg-5e60afa31)
- Protocol - Select the IP protocol (TCP, UDP) for the firewall rule.
- Ports - Enter the port or range of ports that you wish to open to the added security group. To open all ports, use 0..60000.
- © Copyright 2015 RightScale Technical Support