Creating a Security Rule

How to create a security rule for your VPC.

Security rules serve as a method of controlling inbound traffic to your network, thus ensuring the security and integrity of your application or service by defining which kind of traffic is allowed and from where. They act like a virtual boundary wall around your resources, allowing only the approved traffic while blocking all the rest.

When you create a security rule, you specify parameters including a protocol (TCP, UDP, ICMP), a source or destination IP address range, port numbers, and whether to allow or deny the traffic matching these conditions. Once implemented, the security rules scrutinize all incoming traffic, and apply the conditions mentioned in the rules.

Opening other ports becomes necessary based on the specific requirements of your applications or services. Here are a few reasons why you would want to open other ports:

  1. Different services and applications use different network protocols and ports. For example, web servers usually use port 80 for HTTP and port 443 for HTTPS. If you have a mail server, you would open port 25 for SMTP traffic. Without opening these necessary ports, these services wouldn't be accessible.

  2. If your application involves a database that needs to be accessed over the network, appropriate ports would need to be opened for this purpose. For instance, for MySQL, this would typically be port 3306.

  3. If you need to securely log in to your instances for administration purposes, you'd need to open port 22 which is typically used for SSH.

  4. If your application uses non-standard ports or if you've selected a specific port for your application to use, you'd need to open that port to allow traffic in.

  5. Load balancers distribute network traffic across multiple servers to ensure no single server bears too much demand. To make it happen, you would need to open corresponding ports through which the load balancer can direct traffic.

Thus, while configuring security rules, it's important to consider the specific requirements of your application or service to ensure that all necessary ports are accessible. However, to maintain security, only those ports that are necessary should be opened; unnecessary open ports can pose a security risk by providing potential entry points for malicious activities. Nirvana Cloud uses a "deny all by default" approach. This means that unless you explicitly allow access on a port, access is denied by default.

Creating a Security Rule

Suppose you're hosting a web application within a particular Virtual Private Cloud (VPC). This application might be a customer support portal that collects information and funnels it to your backend team. The web application runs on an Apache server which operates on port 443 for HTTPS. You need to create a security rule to enable users to access the application over the internet.

To create a security rule, navigate to the "Networking" page:

Find the VPC that you would like to create a security rule in. If, for example, your VM is located in the "pink-database-roadrunner-za3c8" VPC, you would choose this one by clicking "Manage."

Next, click on the "Add Security Rule" button. In this case, you can also see that we already have a security rule allowing TCP access to a single VM in this subnet on port 22 for SSH.

By default, the name of the security rule will be the same name as the VPC. In this case, we added "https" to the name.

The source IP is the range or IP that you are allowing access to the destination port. In this case, we are opening port 443 to the world. 0.0.0.0/0 allows all IP addresses access. In most cases, you will want to put a specific IP in the source. For example, if you only want a specific VM to have access to your destination, you would input <YOUR PUBLIC IP>/32 or 123.456.789.10/32.

The destination IP can either be your subnet or a specific VM private IP. In this case, we chose to open 443 on the entire 10.128.45.128 subnet. This means that all VMs on this subnet, will have port 443 open to the world. In most cases, you want to choose a specific VM IP. For example, if you have a subnet with multiple machines, but only one of those machines is a web server, you would only allow access to 443 on that particular machine. The destination IP would look something like <YOUR VM PRIVATE IP>/32 or 1.2.3.4/32.

The destination port is the port that you would like to open. In this case, we are opening port 443.

The internet protocol will change based on the use case. In most cases, you will want to open a TCP port.

Now that you have created a security rule, click on the "Add Security Rule" button.

The new security rule is now showing in our security rules list.

👍

Congratulations! You created a security rule for your VPC.


What’s Next