Setting firewall (ACG)
  • PDF

Setting firewall (ACG)

  • PDF

Available in Classic

Access Control Group (ACG) is firewall service that enables you to control and manage network access across the servers by filtering IPs and ports. By using ACG, you can configure and manage ACG rules for server groups easily without needing to separately manage the existing firewalls (iptables, UFW, Windows firewall).
You can use the ACG provided by default by NAVER Cloud Platform, or directly create ACG rules and use them.

Note

The following are the restrictions in using ACG.

[VPC environment]

  • Up to 500 ACGs can be created per VPC.
  • Up to 3 ACGs are allowed per NIC.
  • Up to 50 inbound and 50 outbound rules can be created for an ACG.

[Classic environment]

  • Up to 100 ACGs can be created per account.
  • Up to 100 rules can be set for each ACG.
  • A server can be repeatedly included in up to 5 ACGs.
  • The ACG selected at server creation can't be changed, and the ACG rules will apply until termination of the server.
Note
  • If you create a load balancer, then an ACG group (ncloud-load-balancer) for the load balancer object is automatically created. For the service, the permission rule that specifies the access source as the load balancer must be added in the ACGs of the servers actually bound by the load balancer.
  • After the permission rule is added, the ACG group for the load balancer object can continue to communicate with servers if there is continued health check request by the load balancer for servers, even if the rule is deleted later. In this case, you can restart the connected load balancer to completely block the communication.

ACG provided by default

Each account of NAVER Cloud Platform has a default ACG created. The ACG provided by default follows the basic rules shown below. The unspecified rules refer to rules that are applied and processed internally, even though their settings may not be visible to the user.

Type Classic VPC
Default ACG
  • Block all inbound traffic (not specified as a rule)
  • Allow all outbound traffic (not specified as a rule)
  • Allow two-way communications between servers that belong to default ACG (added as a rule, can be deleted)
  • Allow TCP for basic remote access port (Linux - 22, Windows - 3389, added as a rule to the default ACG, can be deleted)
  • Block all inbound traffic (not specified as a rule)
  • Allow all outbound traffic (not specified as a rule)
  • Allow TCP for basic remote access port (Linux - 22, Windows - 3389, added as a rule to the default ACG, can be deleted)
  • Custom ACG
  • Block all inbound traffic (not specified as a rule)
  • Allow all outbound traffic (not specified as a rule)
  • Create ACG

    The following describes how to create an ACG.

    1. From the NAVER Cloud Platform console, click the Services > Compute > Server menus in order.
    2. Click the ACG menu.
    3. Click the [Create ACG] button.
    4. Enter the ACG name, and then click the [Create] button.
      • The created ACG is displayed in the ACG list.

    Set ACG

    NAVER Cloud Platform, by default, blocks all inbound traffic and allows all outbound traffic. You can change the ACG settings to change these rules. The following describes how to change the ACG settings.

    Note
    • If there are no settings in the ACG Outbound rule, Request packets sent by the server may be blocked.
    1. From the NAVER Cloud Platform console, click the Services > Compute > Server menus in order.

    2. Click the ACG menu.

    3. Select the ACG to set rules for, and then click the [Set ACG] button.

    4. Enter the detailed rules by referring to the table shown below, and then click the [Add] button.

      Item Setup method Example
      Protocol Select from TCP, UDP, or ICMP
      Access source/Destination Enter an IP address or ACG name 1. IP address
      Specify a single IP address, or a range of IP network address using CIDR notation
      When entering CIDR address, enter the network address followed by the subnet bits, including a slash (/)
      2. ACG name
      Specify all objects belonging to the target ACG group as the access source
      Allowed port (service) Enter the allowed port range for TCP and UDP TCP (can specify an allowed port range between 1 to 65535)
      UDP (can specify an allowed port range between 1 to 65535)
      ICMP (can only select whether to allow the entire protocol)
      • Up to 100 rules can be added.
    5. After adding all of the rules, click the [Apply] button.

      • The ACG rule settings are applied.

    Examples of ACG rule settings

    When setting the ACG rules, refer to the following examples.

    Allow access to SSH service from a specific IP address

    Protocol Access source Allowed port
    TCP 192.168.77.17 22

    Allow access to SSH service from a specific IP address range (1)

    Protocol Access source Allowed port
    TCP 192.168.77.0/24 22

    Allow access to SSH service from a specific IP address range (2)

    Protocol Access source Allowed port
    TCP 192.168.77.128/25 22

    Allow SSH access between servers assigned to the ACG object named Test-ACG

    Protocol Access source Allowed port
    TCP Test-ACG 22

    Set Ncloud-load-balancer, which is an ACG for load balancers, as a source and allow network access to the actual web server bound from the load balancer object (use a single identical name for the ACG even when creating multiple load balancers)

    Protocol Access source Allowed port
    TCP ncloud-load-balancer 80

    Allow access to the UDP 22-1025 port from a specific IP address

    Protocol Access source Allowed port
    UDP 192.168.77.17 22-1025

    Allow all inbound traffic to a web service

    Protocol Access source Allowed port
    TCP 0.0.0.0/0 80

    Delete ACG

    The following describes how to delete an ACG.

    Note
    • You can't delete multiple ACGs at once.
    • You can't delete ACGs applied to servers.
    1. From the NAVER Cloud Platform console, click the Services > Compute > Server menus in order.
    2. Click the ACG menu.
    3. Select the ACG to delete, and then click the [Delete ACG] button.
    4. Check the details in the confirmation pop-up window, and then click the [Yes] button.
      • The ACG is deleted.

    Was this article helpful?