Security Groups in Katapult allow you to restrict network access to virtual machines by employing a series of rules to choose which traffic should be allowed.
How you decide to build your security groups may depend on your individual situation but you may wish to employ one of two stategies:
Creating security groups that work directly with certain roles such as a "Web Server" or "DNS Server" role. These roles have a small number of rules that serve a specific purpose. This means that machines may be assigned to multiple groups.
Creating security groups that are specific to servers or groups of server that include rules for everything required. This means that machines will likely only be assigned to one group.
Regardless of the method you choose, the process for managing security groups is the same.
You can create and manage security groups through the Katapult Console. Choose Networking and then Security Group from the navigation.
When creating a group you will be asked to select what you wish to apply this security group to. You can choose from individual virtual machines, a virtual machine group or any tags. If you choose a group or a tag, the security group will be applied to all virtual machines which are linked to the group/tag.
You can add up to 50 rules per security group. All rules are ALLOW rules with any traffic that doesn't match one of these rules being dropped. If you have multiple security groups, all rules are considered and if it doesn't match a rule for any security group it will be dropped.
For each rule you can define the following properties:
A protocol - TCP, UDP or ICMP.
A port or series of ports (except for ICMP). These can be single ports (
80), a range of ports (
2000-3000) or a list of up to 6 ports (
A list of sources (for inbound rules) and destinations (for outbound rules). To allow all traffic you can use the "All IPv4" and "All IPv6" options. Additionally, you can select another virtual machine, a virtual machine group, a tag or custom IP address or network. You can add as many sources as you wish to a rule.
When you have added the rules needed you can save the security group. When you save a security group it may take up to a minute for the changes to fully apply.