What are the Aliyun application cases?

　　What are the Aliyun application cases?

In addition to providing security, you can also use security groups to implement:

Case 1: Intranet interoperability

Case 2: Intercepting a specific IP or port

Case 3: Allow only specific IP logins to instances

Case 4: Only allow instances to access external specific IP

Description: The case described in this document applies only to classic networks.

Case 1: Using security groups to achieve intranet interoperability

Under Classic networks, you can use security groups to achieve intranet interoperability between different ECS instances. There are two kinds of situations:

Scenario 1: Instances belong to the same region, the same account

Scenario 2: Instances belong to the same region, different accounts

Scenario 1: Same area, same account

In the same region, under the same account, the classic network can be set up through the security group rules between the cloud server intranet interoperability.

The same security group under the cloud server, the default intranet interoperability. Different security groups under the cloud server, the default intranet does not pass. To achieve intranet interoperability, there are the following solutions:

Scenario 1: You can put the cloud server into the same security group, you can meet the intranet are interoperable.

Scenario 2: If the cloud server is not in the same security group, the two security groups in each other's intranet authorize security groups to access the security group rules for the type. Add each other's IP address to the authorization object.

Scenario 2: Same area, different account number

In the same region, under different accounts, the classic network can be set up through the security group rules two cloud servers between the intranet interoperability. Like what:

UserA users in East China 1 (Hangzhou) has a classic network of ECS Cloud server Instancea (intranet ip:a.a.a.a), Instancea belong to the security group Groupa;

UserB users in East China 1 (Hangzhou) has a classic network of ECS Cloud server INSTANCEB (intranet ip:b.b.b.b), INSTANCEB belong to the security group for GROUPB.

In this case, you can use the security group configuration to achieve Instancea and INSTANCEB online interoperability. The steps are as follows:

UserA adds one such rule to the Groupa: b.b.b.b IP can access all ECS cloud servers under Groupa in the intranet direction.

UserB adds one such rule to the GROUPB: A.A.A.A IP can access all ECS cloud servers under GROUPB in the intranet direction.

So the two examples can be exchanged.

Case 2: Use security groups to mask, intercept, block specific IP or port access to an ECS instance

You can use security groups to mask, block, block, or disable specific IP access to a user's cloud server, or to mask specific ports on an IP access server. The operation is as follows:

Log on to the Cloud Server Management Console.

Locate the instance you want to configure.

Open the instance security group for this instance to click on the configuration rule.

Click the public network orientation, and then click Add Security Group rule.

Authorization policy chooses reject, and the authorization object enters the IP address that needs to be masked. Click OK.

If the limit is specific to the port, such as shielding a specific IP access to its own ECS instance of the 22 port, authorization policy Select Reject, protocol type select TCP, the port range is filled 22/22, the authorized object to fill out the IP address to be screened. Click Confirm.

Case 3: Allow only specific IP logins to instances

You can configure security group rules to set up a specific IP remote login to an instance. You only need to configure the rules in the public network direction.

Take a Linux server, for example, to set up only specific IP access to port 22.

Add a public network direction security group rule, allow access, protocol type selection TCP, port write 22/22, authorization type for address segment access, IP write specify allow remote link IP, priority is 1.

Add a rule, deny access, protocol type select TCP, Port write 22/22, authorization type for address segment access, authorization object write all 0.0.0.0/0, priority is 2.

Add a rule to allow access, protocol type selection all, port all default, Authorization object write all 0.0.0.0/0, priority is 3.

After the completion of the addition of the total following three rules on it. After the setup is complete:

The rule from IP 182.92.253.20 Access 22 Port Priority 1 is allowed.

The rule from other IP access 22 ports Priority 2 is rejected.

Access to other ports the rule with Priority 3 is allowed.

Case 4: Only allow instances to access external specific IP

You can first configure a public out direction rule to prohibit access to any IP (0.0.0.0/0), and then add a common network direction rule to allow an instance to access the IP. Allows the precedence of a rule to be set above the precedence of the prohibited rule.

Click Public out Direction > Add Security Group Rules, authorization policy select Reject, Authorization object 0.0.0.0/0, priority may be set to a number larger than 1.

Continue to add security group rules in the public out direction, authorization policy selection allows, authorization object is a specific external IP that allows instance access.

Ping, Telnet, and so on within the instance, access to the IP in the disallowed rule is not valid, indicating that the security group's restrictions are in effect.