平安云|Ping An Cloud- Building Your Smart Future

The Security Group

Security group is a virtual firewall with functions of status detection and packet filtration. It can be used for configuring the network access control of one or more instances. It is an important method for network security isolation, dividing security domains on the cloud. Instances in the same security group, by default, are connected with each other in private networks, while instances in different security groups, by default, are not. But mutual access between two security groups can be authorized. The security group function of Ping An Cloud’s BMS is only needed when instances in a VPC network want to access instances in different VPC networks, or when BMS instances want to access ECS ones. At present, the security group function of BMS is available only by customers in regions of South China 1. If you need security groups in other regions, you can submit a ticket and apply for manual help from our technicians. The following table shows how to configure security group rules to achieve mutual access of ECS and BMS in different regions. <table border="1" cellpadding="0" cellspacing="0"> <tbody> <tr> <td style="background-color:#ededed; vertical-align:top"> Regions </td> <td style="background-color:#ededed; vertical-align:top"> Network Domains Supported </td> <td style="background-color:#ededed; vertical-align:top"> Descriptions </td> </tr> <tr> <td style="vertical-align:top"> East China 1 </td> <td style="vertical-align:top"> SF </td> <td style="vertical-align:top"> BMS and ECS are recommended to be deployed in the same VPC since accesses among different VPC networks need to create an express connect. If BMS is created in SF network domain, ECS needs to be created in DMZ network domain of the same VPC. ECS access BMS: <ul> <li>ECS (DMZ）—> BMS (SF）: create ECS outbound security group rules; no need for BMS security group rules</li> </ul> BMS access ECS: <ul> <li>ECS (DMZ）<— BMS (SF）: create BMS outbound security group rules; no need for ECS security group rules</li> </ul> </td> </tr> <tr> <td style="vertical-align:top"> North China 1, Hong Kong </td> <td style="vertical-align:top"> SF </td> <td style="vertical-align:top"> BMS and ECS are recommended to be deployed in the same VPC since accesses among different VPC networks need to create an express connect. If BMS is created in SF network domain, ECS needs to be created in DMZ network domain of the same VPC. ECS access BMS: <ul> <li>ECS (DMZ）—> BMS (SF）: create ECS outbound security group rules; no need for BMS security group rules</li> </ul> BMS access ECS: <ul> <li>ECS (DMZ）<— BMS (SF）: create BMS outbound security group rules; no need for ECS security group rules</li> </ul> </td> </tr> <tr> <td style="vertical-align:top"> South China 1 </td> <td style="vertical-align:top"> SF、DMZ </td> <td style="vertical-align:top"> BMS and ECS are recommended to be deployed in the same VPC since accesses among different VPC networks need to create an express connect. If BMS is created in SF network domain, ECS needs to be created in DMZ network domain of the same VPC. ECS access BMS: <ul> <li>ECS (DMZ) —> BMS (SF）: create ECS outbound security group rules; no need for BMS security group rules</li> </ul> BMS access ECS: <ul> <li>ECS (DMZ）<— BMS (SF）: create BMS outbound security group rules; no need for ECS security group rules</li> </ul>   Only one DMZ network domain is allowed in one VPC. If both ECS and BMS are in DMZ network domains, you have to create two VPCs: ECS access BMS: <ul> <li> ECS (DMZ）—> BMS (SF）: create an express connect, create ECS outbound security group rules and BMS inbound security group rules</li> </ul> BMS access ECS: <ul> <li> ECS (DMZ）<— BMS (SF）: create an express connect, create BMS outbound security group rules and ECS inbound security group rules</li> </ul> </td> </tr> </tbody> </table>

Did the above content solve your problem? Yes No