Note: Please go to docs.rightscale.com to access the current RightScale documentation set. Also, feel free to Chat with us!
Home > Guides > Dashboard Users Guide > Manage > Network Manager > Actions > Networks > View a Network > View a Security Group > Create a New Security Group Firewall Rule

Create a New Security Group Firewall Rule

Table of Contents

Prerequisites

  • 'security_manager' user role privilege
  • RightScale account with valid AWS and/or OpenStack credentials

Overview

After you have created a Security Group, you can create different types of firewall rules to control both the inbound (requests to the instance) and outbound (requests from the instance) firewall permissions. Remember, any instance that is launched into a cloud infrastructure (e.g. AWS EC2), must be assigned at least one security group. And it's the individual firewall permissions defined within those security groups that determines whether or not an inbound/outbound request will be denied. Although changes to a security group's firewall rules will immediately affect all running instances (using that security group) it's recommended that you define a security group's firewall rules prior to launching instances with that security group.

You can create two different types of firewall rules.

  • IP-based - Firewall permissions are granted to either any IP address (e.g. 0.0.0.0/0), a range of IP addresses (e.g. 173.0.0.0/8), or a specific IP address (e.g. 225.0.12/32) using CIDR notation.
  • Group-based - Defines firewall rules that are granted to another security group or to a security group itself.

 

The following clouds support the use of security groups:

  • Amazon EC2
  • OpenStack
  • CloudStack*
  • Google Compute Engine*

* Security groups for these clouds are not configured with Network Manager. Go to Clouds > CloudName > Security Groups.To create security groups and firewall rules, see Add a Security Group to another Security Group.

Steps

Create an IP-based Firewall Rule

  1. Go to Manage > Networks and select the network you would like to use.
  2. Select a security group and go to its Security Groups tab.
  3. Click New Rule and make the appropriate selections for your firewall rule.

screen-New_Rule_IP-v2.png

  • Direction - Defines if the firewall rule applies to inbound or outbound requests to/from instances.
    • Inbound - Requests to instances using the security group.
    • Outbound -  Requests from instances using the security group.
  • Protocol - Defines the protocol(s) to which the rule applies. (TCP/UDP/ICMP) Several of the most common firewall are predefined for your convenience. (Note: the create rule will allow any '0.0.0.0/0' IP address.
    • All Protocols - IPs - Create a rule that allows requests to/from any '0.0.0.0/0' IP address for all TCP and UDP ports, and ICMP 0..0 (depending on the specified direction).
    • All Protocols - Group - Create a rule that allows requests to/from another security group or itself (if specified) over the private network.
    • TCP IPs - Create a rule for a TCP port or range of ports.
    • UDP IPs - Create a rule for a UDP port or range of ports.
    • ICMP IPs - Create a rule for the ICMP protocol.
    • Common Rules
      • FTP (TCP:21) - This enables standard FTP access to servers.
      • SSH (TCP:22): This enables port 22 which grants SSH access into the server. For more information, see SSH into a Server.
      • HTTP (TCP:80): This enables HTTP access to servers.
      • HTTPS (TCP:443): This enables HTTPs access to servers.
      • Remote Desktop (3389): This allows you to use to RDP into a Windows server. For more information, see RDP into a Server.
  • Ports - Specify a port or range of ports for the firewall rule. See examples below:
    • Single Port: 80 to 80
    • Range of Ports: 8000 to 8050
  • IP Range - Specify the IP address or range of IP addresses that will be allowed access. Use the My IP button to populate the field with your machine's own public IP address. For example, you may want to only give access to your own personal development machine or to your company's network. 
    • My IP - 173.225.0.12/32
  1. Click Save.

Create a Group-based Firewall Rule

Add a Security Group to another Security Group
  1. Go to Manage > Networks and select the network you would like to use.
  2. Select a security group and go to its Security Groups tab.
  3. Click New Rule and make the appropriate selections for your firewall rule.

screen-New_Rule_Group-v2.png

  • Direction - Defines if the firewall rule applies to inbound or outbound requests to/from instances.
    • Inbound - Requests to instances using the security group.
    • Outbound -  Requests from instances using the security group.
  • Protocol - Defines the protocol(s) to which the rule applies. (TCP/UDP/ICMP) Several of the most common firewall are predefined for your convenience. (Note: the create rule will allow any '0.0.0.0/0' IP address.​
    • All Protocols - Group - Create a rule that allows requests to/from another security group or itself (if specified) over the private network.
    • TCP IPs - Create a rule for a TCP port or range of ports.
    • UDP IPs - Create a rule for a UDP port or range of ports.
    • ICMP IPs - Create a rule for the ICMP protocol.
  • Ports -  Specify a port or range of ports for the firewall rule. See examples below:
    • Single Port: 80 to 80
    • Range of Ports: 8000 to 8050
  • Owner - Be sure to specify the appropriate value based upon the chosen cloud.​ Typically, you will grant access to security groups within the same cloud account, however you can grant access to a security group in a different cloud account, if desired. 
    • AWS - Use your 12-digit AWS account number (without spaces). Click My Account to prepopulate the field with the AWS account number that's associated with the current RightScale account. 
      • For an Amazon Elastic Load Balancer (ELB), use the following: amazon-elb
    • OpenStack - Specify either the username that was used to create the OpenStack cloud account. (e.g. my-company) or the Tenant ID. To locate the Tenant ID, log in to the cloud console and go to Settings > OpenStack API, and copy the suffix at the end of the Nova Service Endpoint. (e.g. http://50.162.234.224:8774/v1/8a2e587052628a2e587df155d8a2e587)

  • Group - Specify the appropriate name or ID of the security group for which the firewall rule applies. Remember, you can either specify a different security group or the same security group itself. You can also give a security group from a different cloud account access. However,  Note: You can only create a group-based firewall rule for a security group that's within the same cloud/region because the private network must be accessible. For example, in Amazon EC2, you cannot add a security group from 'us-east' to a security group in 'us-west'.  
    • AWS - You can either specify the name of the security group (e.g. mySG) or the security group's Resource UID (e.g. sg-0a1b3456) located under the Info tab.
      • For an Amazon Elastic Load Balancer (ELB), use the following: amazon-elb-sg 
    • OpenStack - Enter the 'Resource UID' of the security group you wish to add. (e.g. 91) You cannot use the security group's name for this field.
  1. Click Save.
You must to post a comment.
Last modified
09:45, 14 Oct 2014

Tags

This page has no custom tags.

Classifications

This page has no classifications.

Announcements

None


© 2006-2014 RightScale, Inc. All rights reserved.
RightScale is a registered trademark of RightScale, Inc. All other products and services may be trademarks or servicemarks of their respective owners.