- Print
- PDF
ACG
- Print
- PDF
Available in Classic
ACG describes the screen configuration of the ACG menu and ACG information and explains how to create, set, and delete an ACG.
Access Control Group (ACG) is an IP/Port-based filtering firewall service that enables you to control and manage network access between servers. By using ACG, you can easily establish and manage ACG rules for server groups without needing to separately manage the existing firewalls (iptables, UFW, and Windows firewall). You can use the ACG provided by default in NAVER Cloud Platform, or set rules for the ACG you create to use it.
- The following are the restrictions in using ACG.
- You can create up to 100 ACGs per account.
- Up to 100 rules can be set for each ACG.
- A server can be repeatedly included in up to 5 ACGs.
- The ACG selected at server creation can't be changed, and the ACG rules apply until termination of the server.
- When you create a load balancer, an ACG (ncloud-load-balancer) for the load balancer is created automatically. To use the service, the permission rule that specifies the access source as the load balancer must be added in the ACG of the server actually bound by the load balancer.
- After the permission rule for the load balancer is added to the ACG, communications with servers can continue if there is continued health check request by the load balancer for servers, even if the rule is deleted later. To block the communication with the server, restart the connected load balancer.
Check ACG information
You can check ACG information on the ACG page.
ACG page
From the NAVER Cloud Platform portal, click the Console > Services > Compute> Server > ACG menus, in that order, to view the ACG page.
The ACG page is laid out as follows:
Field | Description |
---|---|
① Menu name | Name of the menu currently being checked and the number of created ACGs |
② Basic features | Features provided on the first page when the user enters the ACG menu
|
③ Post-creation features | Features provided after creating the ACG
|
④ ACG list | List of created ACGs
|
Create ACG
The Default ACG (ncloud-default-acg) is provided without creating an ACG in NAVER Cloud Platform, but you can create and use a separate ACG. For more information about Default ACG, see ACG specifications.
The following describes how to create an ACG.
- Click the environment you are using in the Region menu and Platform menu of NAVER Cloud Platform console.
- Click the Services > Compute > Server menus, in that order.
- Click the ACG menu.
- Click the [Create ACG] button.
- Enter the name of ACG, and click the [Create] button.
- An ACG is created and displayed in the ACG list.
- ACGs directly created by users have no rules provided by default. Set the rules through Set ACG.
Set ACG
The following describes how to set detailed rules for the Default ACG and the ACGs you created.
If the ACG outbound rule settings do not exist, the request packet sent from the server may be blocked.
Click the environment you are using in the Region menu and Platform menu of NAVER Cloud Platform console.
Click the Services > Compute > Server menus, in that order.
Click the ACG menu.
Click to select the ACG to set rules for from the ACG list, and then click the [Set ACG] button.
Enter the detailed rules by referring to the following table, and then click the [Add] button.
Item Setup method Examples Protocol Select from TCP, UDP, and ICMP - Access source Enter the IP address or ACG name - IP address
- Specify single IP address or range of IP network addresses in CIDR format
- When you enter the CIDR address, enter the network address followed by subnet bits including slash (/)
- ACG name
- Specify all objects in the target ACG as access source
- Example of entering CIDR: 0.0.0.0/0, 192.168.1.0/24
- Example of entering ACG name: my-acg-1 (preset name of ACG)
Allowed port (service) Enter the allowed port range for selecting TCP and UDP - 22 (for ssh service)
- 3389 (for remote Windows access)
Notes Enter briefly, if necessary - After adding all the rules, click the [Apply] button.
- The set rules are applied to ACG.
ACG rule settings example
The frequently used ACG rules are as follows:
Allows access to SSH service from a specific IP address
Protocol Access source Allowed port TCP 192.168.77.17 22 Allows access to SSH service from a specific IP address range (1)
Protocol Access source Allowed port TCP 192.168.77.0/24 22 Allows access to SSH service from a specific IP address range (2)
Protocol Access source Allowed port TCP 192.168.77.128/25 22 Allows SSH access between servers assigned to ACG named Test-ACG
Protocol Access source Allowed port TCP Test-ACG 22 Sets the ncloud-load-balancer, an ACG for the load balancer, as an access source to allow network access to the web server that the load balancer binds
- Even if several load balancers are created, the name of the ACG must be the same.
Protocol Access source Allowed port TCP ncloud-load-balancer 80 Allows access to UDP 22-1025 port from specific IPs
Protocol Access source Allowed port UDP 192.168.77.17 22-1025 Allows access to the entire web service
Protocol Access source Allowed port TCP 0.0.0.0/0 80
Delete ACG
The following describes how to delete an ACG.
- You cannot delete several ACGs at the same time.
- You can't delete ACGs applied to servers.
- Click the environment you are using in the Region menu and Platform menu of NAVER Cloud Platform console.
- Click the Services > Compute > Server menus, in that order.
- Click the ACG menu.
- Click to select the ACG to delete from the ACG list, and then click the [Delete ACG] button.
- Check the pop-up message and click the [OK] button.
- The ACG is deleted and disappears from the list.