Versions Compared

Old Version 47

changes.mady.by.user joe.topjian@cybera.ca

Saved on

compared with

New Version 48

changes.mady.by.user Neil Stewart

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

There is a default security group that cannot be deleted, however it can have rules added and removed from it. Additional security groups can also be created depending on need. When a new Rapid Access Cloud account is created, the default security group has four rules. The Egress rules, traffic going out from the instance, is permitted to go out by default. The Ingress rules, traffic going in to the instance, is denied by default since it does not specify any network as seen in the Remote IP Prefix. Thus, a few rules are required to permit basic access.

...


Warning
titleUse Rational Security Groups

We strongly advise against highly permissive security groups. Allowing access from any source (i.e. 0.0.0.0/0 or ::/0) means that anyone in the world can access your instance. We advise limiting the traffic to your instance to the smallest possible CIDR.

Allowing access to all ports (port range 1 : 65535) means that anyone from the allowed CIDR can access all services on your instance - even services which should only be internal.

For best practices, please read this informative blog on OpenStack Security.


Modify the default security group


Note
titleBad practice ahead!

In the example below, it is recommended that the Remote CIDR address not be 0.0.0.0/0 or ::/0 for the SSH rules. These values are used for example only, and when possible a known source IP address should be used instead (e.g. your home IP address). If you need to determine your source IP address, searching 'what is my ip' in a search engine such as Google will provide the address.


  1. Log-in to the Rapid Access Cloud dashboard at https://cloud.cybera.ca.

  2. In the left-hand panel under “Network”, click “Security Groups”.

  3. Click the “Manage Rules” button on the right hand side associated with the “default” security group. The list initially has four rules, however we are going to add rules that:

    1. permit ICMP for ping and traceroute, from any IPv4 or IPv6 address

    2. permit SSH from any IPv4 or IPv6 address

  4. Click “+Add Rule” in the top right. We are going to be adding four rules. For each rule input the values, then click the blue “Add” button. Note, the first and third rules are for IPv4 access, while the second and fourth are for IPv6:

...