cloudstack/docs/en-US/add-ingress-egress-rules.xml

<?xml version='1.0' encoding='utf-8' ?>
<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
%BOOK_ENTITIES;
]>
<!-- Licensed to the Apache Software Foundation (ASF) under one
	or more contributor license agreements.  See the NOTICE file
	distributed with this work for additional information
	regarding copyright ownership. The ASF licenses this file
	to you under the Apache License, Version 2.0 (the
	"License"); you may not use this file except in compliance
	with the License.  You may obtain a copy of the License at
	http://www.apache.org/licenses/LICENSE-2.0
	Unless required by applicable law or agreed to in writing,
	software distributed under the License is distributed on an
	"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	KIND, either express or implied.  See the License for the
	specific language governing permissions and limitations
	under the License.
-->
<section id="add-ingress-egress-rules">
  <title>Adding Ingress and Egress Rules to a Security Group</title>
  <orderedlist>
    <listitem>
      <para>Log in to the &PRODUCT; UI as an administrator or end user. </para>
    </listitem>
    <listitem>
      <para>In the left navigation, choose Network</para>
    </listitem>
    <listitem>
      <para>In Select view, choose Security Groups, then click the security group you want .</para>
    </listitem>
    <listitem>
      <para>To add an ingress rule, click the Ingress Rules tab and fill out the following fields to
        specify what network traffic is allowed into VM instances in this security group. If no
        ingress rules are specified, then no traffic will be allowed in, except for responses to any
        traffic that has been allowed out through an egress rule.</para>
      <itemizedlist>
        <listitem>
          <para><emphasis role="bold">Add by CIDR/Account</emphasis>. Indicate whether the source of
            the traffic will be defined by IP address (CIDR) or an existing security group in a
            &PRODUCT; account (Account). Choose Account if you want to allow incoming traffic from
            all VMs in another security group</para>
        </listitem>
        <listitem>
          <para><emphasis role="bold">Protocol</emphasis>. The networking protocol that sources will
            use to send traffic to the security group. TCP and UDP are typically used for data
            exchange and end-user communications. ICMP is typically used to send error messages or
            network monitoring data.</para>
        </listitem>
        <listitem>
          <para><emphasis role="bold">Start Port, End Port</emphasis>. (TCP, UDP only) A range of
            listening ports that are the destination for the incoming traffic. If you are opening a
            single port, use the same number in both fields.</para>
        </listitem>
        <listitem>
          <para><emphasis role="bold">ICMP Type, ICMP Code</emphasis>. (ICMP only) The type of
            message and error code that will be accepted.</para>
        </listitem>
        <listitem>
          <para><emphasis role="bold">CIDR</emphasis>. (Add by CIDR only) To accept only traffic
            from IP addresses within a particular address block, enter a CIDR or a comma-separated
            list of CIDRs. The CIDR is the base IP address of the incoming traffic. For example,
            192.168.0.0/22. To allow all CIDRs, set to 0.0.0.0/0.</para>
        </listitem>
        <listitem>
          <para><emphasis role="bold">Account, Security Group</emphasis>. (Add by Account only) To
            accept only traffic from another security group, enter the &PRODUCT; account and name of
            a security group that has already been defined in that account. To allow traffic between
            VMs within the security group you are editing now, enter the same name you used in step
            7.</para>
        </listitem>
      </itemizedlist>
      <para>The following example allows inbound HTTP access from anywhere:</para>
      <mediaobject>
        <imageobject>
          <imagedata fileref="./images/http-access.png"/>
        </imageobject>
        <textobject>
          <phrase>httpaccess.png: allows inbound HTTP access from anywhere</phrase>
        </textobject>
      </mediaobject>
    </listitem>
    <listitem>
      <para>To add an egress rule, click the Egress Rules tab and fill out the following fields to
        specify what type of traffic is allowed to be sent out of VM instances in this security
        group. If no egress rules are specified, then all traffic will be allowed out. Once egress
        rules are specified, the following types of traffic are allowed out: traffic specified in
        egress rules; queries to DNS and DHCP servers; and responses to any traffic that has been
        allowed in through an ingress rule</para>
      <itemizedlist>
        <listitem>
          <para><emphasis role="bold">Add by CIDR/Account</emphasis>. Indicate whether the
            destination of the traffic will be defined by IP address (CIDR) or an existing security
            group in a &PRODUCT; account (Account). Choose Account if you want to allow outgoing
            traffic to all VMs in another security group.</para>
        </listitem>
        <listitem>
          <para><emphasis role="bold">Protocol</emphasis>. The networking protocol that VMs will use
            to send outgoing traffic. TCP and UDP are typically used for data exchange and end-user
            communications. ICMP is typically used to send error messages or network monitoring
            data.</para>
        </listitem>
        <listitem>
          <para><emphasis role="bold">Start Port, End Port</emphasis>. (TCP, UDP only) A range of
            listening ports that are the destination for the outgoing traffic. If you are opening a
            single port, use the same number in both fields.</para>
        </listitem>
        <listitem>
          <para><emphasis role="bold">ICMP Type, ICMP Code</emphasis>. (ICMP only) The type of
            message and error code that will be sent</para>
        </listitem>
        <listitem>
          <para><emphasis role="bold">CIDR</emphasis>. (Add by CIDR only) To send traffic only to IP
            addresses within a particular address block, enter a CIDR or a comma-separated list of
            CIDRs. The CIDR is the base IP address of the destination. For example, 192.168.0.0/22.
            To allow all CIDRs, set to 0.0.0.0/0.</para>
        </listitem>
        <listitem>
          <para><emphasis role="bold">Account, Security Group</emphasis>. (Add by Account only) To
            allow traffic to be sent to another security group, enter the &PRODUCT; account and name
            of a security group that has already been defined in that account. To allow traffic
            between VMs within the security group you are editing now, enter its name.</para>
        </listitem>
      </itemizedlist>
    </listitem>
    <listitem>
      <para>Click Add.</para>
    </listitem>
  </orderedlist>
</section>