-->
Home
Uncategorized

Labex Basic Application of ECS Security Groups

Rozananda

 

Basic Application of ECS Security Groups

1. Introduction

1.1 Knowledge points

This lab describes the basic application of Alibaba Cloud Elastic Compute Service (ECS) security groups to enhance users' understanding of security groups and enable users to adjust security group rules based on their business requirements. A security group functions as a virtual firewall of a server and controls network access to one or more ECS instances. It is an important network security isolation method.

1.2 Lab Steps

  • Query security groups.
  • Ping an ECS instance from the Internet.
  • Remotely connect to an ECS instance through Secure Shell (SSH).
  • Use an ECS instance as a web server.

1.3 Cloud resources required

  • ECS

1.4 Prerequisites

  • You understand ECS.
  • If you're using your own Alibaba Cloud account instead of the account provided by this lab to operate the lab, please note that you'll need to choose the same Ubuntu 16.04 operating system for your ECS in order to run the lab smoothly.

2. Start the lab environment

If you have just completed a lab session, ensure you log out of your Alibaba Cloud account before starting a new lab. This prevents issues when opening a new lab session in the same browser.

Click Start Lab in the upper right corner of the page to start the lab.

image desc

Once the lab environment is set up, the system auto-deploys essential resources for your lab, such as ECS and RDS instances, Server Load Balancers, OSS buckets, etc. You'll also receive login credentials for the Alibaba Cloud Web console.

image desc

A countdown timer starts once the lab environment is ready. You have two hours to complete the lab. Pay attention to the remaining time and plan accordingly.

Next, click Open the Console to access the Alibaba Cloud RAM login page. Use the Username and Password provided by the system to log in to Alibaba Cloud and view the relevant resources.

Copy and enter the provided account username and click Next.

image desc
 

Copy and enter the provided password and click Log On.

image desc
 

After successfully logging in, click OK to view the main console page.

 
image desc

3. Query security groups

Click Elastic Computer Service, as shown in the following picture.

image desc

We can see one running ECS instance in the US West 1 region.

image desc
 
image desc

Select Security Group to view the security group to which the ECS instance belongs. Click Manage Rules.

You can view rules of the security group.

Inbound rule: The existing inbound rule allows all external servers to access ports 10 to 82.

image desc

Outbound rule: The existing outbound rule allows ECS instances in the security group to access ports 10 to 81 of external servers. However, ECS instances in the security group can access all ports of external servers by default. Therefore, the existing outbound rule does not take effect.

image desc

Click Delete to delete the rule and click OK.

image desc

Delete the inbound rule in the same way.

image desc

After the rules are deleted, all inbound access to the ECS instances in the security group is forbidden by default. Therefore, external servers cannot connect to any ECS instance in the security group.

4. Ping an ECS instance from the Internet

This section modifies the security group rules to test the ping protocol.

Click the back icon.

image desc

Copy the ECS public IP address.

image desc

Run the following command in the command line interface (CLI) of the OS. (Replace YOUR-ECS-IP with the public IP address of the ECS.)

For a MAC OS, run the following command:

ping YOUR-ECS-IP

For a Windows OS, run the following command:

ping YOUR-ECS-IP -t
image desc

You can see that all connection requests time out, indicating that the ECS instance cannot be pinged.

Press Ctrl+C to stop sending requests.

Return to the security group console, click the Inbound tab, and click Add Rule.

image desc

Configure data by referring to the following figure. The rule indicates that all external servers can successfully ping ECS instances in the security group. Because the ping command uses ICMP, select ICMP for Protocol Type. Click Save.

image desc

Return to the OS CLI and run the preceding ping command again. The ping request has been successfully replied to.

image desc

5. Remotely connect to an ECS instance through SSH

The SSH remote connection mode varies depending on the OS. For more information, visit logon .

The following snapshot uses the MAC OS as an example.

Run the following command to remotely connect to the ECS instance: Replace YOUR-ECS-IP with the ECS IP address.

ssh root@YOUR-ECS-IP
image desc

You can see that the command is suspended without any response, indicating that the remote connection to the ECS instance fails.

Press Ctrl+C to stop connecting to the ECS instance.

Return to the security group console, click the Inbound tab, and click Add Rule.

image desc

Configure data by referring to the following figure. The rule indicates that servers on any public network can remotely access ECS instances in the security group. Because TCP is used for remote connections, select TCP for Protocol Type. Click OK.

image desc

Return to the OS CLI and run the preceding remote connection command again.

Enter yes and the password as prompted. The default password is "nkYHG890..".

image desc

You have successfully logged on to the ECS instance.

6. Use an ECS instance as a web server

After you log on to the ECS instance, install the Nginx service on the ECS instance for external servers to access.

Run the following command to update the apt installation source:

apt update
image desc

Run the following command to install the Nginx service:

apt -y install nginx
image desc

Run the following command to view the Nginx service startup status:

netstat -utnlp
image desc

The Nginx service has started and uses port 80 (a common web service port).

Enter the following URL in the address bar of a browser and press Enter to access the Nginx service. Replace YOUR-ECS-IP with the ECS IP address.

http://YOUR-ECS-IP
image desc

The page is being updated, and the timeout error shown in the preceding figure appears.

Return to the security group console, click the Inbound tab, and click Add Rule.

image desc

Configure data by referring to the following figure. The rule indicates that servers on any public network can access port 80 of any ECS instance in the security group. Because the web service uses TCP, select TCP for Protocol Type. Click Save.

image desc

Update the URL in the address bar of the browser and press Enter. The access to the Nginx service is successful.

image desc

Reminder:
Before you leave this lab, remember to log out your Alibaba RAM account before you click the ‘stop’ button of your lab. Otherwise you'll encounter some issues when opening a new lab session in the same browser:

image descimage desc

7. Summary

This lab describes the basic application of Alibaba Cloud ECS security groups. Security group rules control inbound and outbound access to ECS instances associated with a security group on the Internet and intranet. You can configure security group rules based on business requirements to make significant improvements on the security of ECS instances.


Anda mungkin menyukai postingan ini

  1. Untuk menyisipkan sebuah kode gunakan <i rel="pre">code_here</i>
  2. Untuk menyisipkan sebuah quote gunakan <b rel="quote">your_qoute</b>
  3. Untuk menyisipkan gambar gunakan <i rel="image">url_image_here</i>
Hello Welcome