Controls and Manages Network Access
As Internet usage and services steadily rise, security threats are also increasing, which demands multiple methods and layers of defense. ACG is a service that controls and manages network access to server groups. To activate the security features easily, simply set the parameters of the firewall for each server group. There’s no need to construct a separate firewall for each server.
- Batch Management of Security Settings
- With ACG, you can control network access to a large number of servers in a batch, without having to set up a host firewall (iptables, UFW, etc.) for each server. It’s easy to apply and execute security procedures.
- Reuse Existing Security Settings
- When expanding a service, it is possible to reuse existing access control group (ACG) rules and it is possible to expand the security policy conveniently.
- Simple Control of Settings
- You can safely and conveniently add, change, and delete inbound rules that allow you to connect to the server with the ACG Rule Change feature in a web-based console, without having to directly access the server to change firewall security rule settings.
Inbound traffic from other internal servers or external Internet channels can be controlled by IP address and port.
By default, all outgoing traffic from the server is allowed,
while inbound traffic is regulated according to the ACG settings.
Create and Manage ACG Settings with Web Console
It’s easy to set the ACG using the Web console:
- 1) Connect to Console: Log in to the portal and connect to the console.
-
2) Create ACG: On the ACG menu, select [Create ACG] and enter the name of the ACG.
(New ACG can be created in “Step 4. Set Firewall,” or an existing ACG may be selected.) - 3) ACG Setup: Add and apply the security protocol, including permitted sources and ports.
- 4) View ACG Rules: Check the rules settings for each ACG.
- 5) Delete ACG: You can delete the ACG. However, if there is only one server to which the applicable ACG is applied, it cannot be deleted.
Types of ACG Rules
When creating servers, firewall (ACG) settings must be selected to ensure the security of the network. An ACG is an instance that has a distinguishable name with rules that apply to each instance. Provides basic ACG Rule (default ACG) for convenient use of the ACG service. If you need separate firewall settings for your service, you can set up and apply ACG rules yourself (custom ACG).
| Type | Content | Details |
|---|---|---|
| Default ACG | Preset for each account |
• Blocks all inbound traffic
· Allows all outbound traffic · Allows communication among the servers within an ACG group |
| Custom ACG | Created by the customer |
• Blocks all inbound traffic
· Allows all outbound traffic |
ACG Rules and Settings
| Classification | Setup Method | Example |
|---|---|---|
| Protocol | Select TCP, UDP, or ICMP | |
| Access source: | Specify by either IP address or ACG name |
1) IP Address
Specify permitted users by using IP address or CIDR notation. When entering CIDR notation, enter the network address followed by the subnet bit, separated by a slash (/).
- E.g. To allow all Internet access from all IP addresses: 0.0.0.0/0
- E.g. To allow access from a single IP address: 92.168.10.1/32 or 192.168.10.1 - E.g. When entering CIDR notation (network address/subnet bit): 192.168.77.0/24, 192.168.77.128/25, 192.168.77.192/26 |
|
2) ACG Name Target
Assigns the entire object belonging to the ACG group as the access source. | ||
| Permitted ports | Select either TCP or UDP | TCP (Customizable permitted port range: 1-65535) |
| UDP (Permitted port range: 1-65535) | ||
| ICMP (Select whether to permit the entire protocol) |
Notes for using the ACG
You can create up to 100 ACG objects per account and you can set up to 100 rules for each ACG object.
How to Set ACG Rules
| Example | Protocol | Access source: | Permitted ports |
|---|---|---|---|
| Allow access to the SSH service from a specific IP address | TCP | 192.168.77.17 | 22 |
| Allow access to the SSH service from a specific band of IP addresses (1) | TCP | 192.168.77.0/24 | 22 |
| Allow access to the SSH service from a specific band of IP addresses (2) | TCP | 192.168.77.128/25 | 22 |
| Allow SSH access between two servers allocated to the ACG named 'Test-ACG' | TCP | Test-ACG | 22 |
|
Set the NAVER CLOUD PLATFORM-load-balancer (ACG for load balancer) as the source, and
allow access to the web server from the load balancer object | TCP | Ncloud-load-balancer | 80 |
| Allow access to UDP 22-1025 port from a specific IP address | UDP | 192.168.77.17 | 22–1025 |
| Allow full access to web service Port 80 | TCP | 0.0.0.0/0 | 80 |
This service is free of charge.
Was this page helpful?