Security Group Inventory

Properties

Name Description Optional Valid Value Starting Version
uuid The UUID. For more information, see Resource Property. 0.6
name The name. For more information, see Resource Property. 0.6
description The description. For more information, see Resource Property. Yes 0.6
state The state. For more information, see Resource Property.
  • Enabled
  • Disabled
 0.6
rules The rules. For more information, see Security Group Rule Inventory. 0.6
attachedL3NetworkUuids The UUIDs of the L3 Network to which the security group is attached. 0.6
createDate The creation date. For more information, see Resource Property. 0.6
lastOpDate The last operation date. For more information, see Resource Property. 0.6

Sample

 {
    "attachedL3NetworkUuids": [
        "0b48770e593e400c8f54e71fd4e7f514"
    ],
    "createDate": "Nov 16, 2015 1:02:22 AM",
    "lastOpDate": "Nov 16, 2015 1:02:22 AM",
    "name": "sg-in",
    "rules": [
        {
            "allowedCidr": "0.0.0.0/0",
            "createDate": "April 29, 2015 9:57:10 PM",
            "state": "Enabled",
            "endPort": 22,
            "lastOpDate": "Nov 29, 2015 9:57:10 PM",
            "protocol": "TCP",
            "securityGroupUuid": "9e0a72fe64814900baa22f78a1b9d235",
            "startPort": 22,
            "type": "Ingress",
            "uuid": "a338d11be18d4e288223597682964dc8"
        }
    ],
    "state": "Enabled",
    "uuid": "9e0a72fe64814900baa22f78a1b9d235"
}

Default Security Group Policy

  • For an empty security group, we have default polices for inbound traffics and outbound traffics.
  • For inbound traffics, the default policy is to deny, which means that all inbound traffics traveling to the NICs in this empty security group will be blocked.
  • For outbound traffics, the default policy is to allow, which means that all outbound traffics coming from the NICs in this empty security group will be allowed.

To change default policies, you can change the actions for Ingress.defaultPolicy and Egress.defaultPolicy in Global Setting.

Security Group Rule Inventory

Name Description Optional Valid Value Starting Version
uuid The UUID. For more information, see Resource Property. 0.6
securityGroupUuid The UUID of the parent security group. 0.6
remoteSecurityGroupUuid The source security group, which indicates that only the VM instances specified in the security group are allowed. Yes 0.6
type The type. For more information, see Traffic Type.
  • Ingress
  • Egress
 0.6
protocol The traffic protocol type.
  • TCP
  • UDP
  • ICMP
 0.6
startPort If the protocol is TCP or UDP, this parameter is the start port of the port range. If the protocol is ICMP, this parameter is ICMP type.
  • For TCP/UDP: 0 - 65535.
  • For ICMP: use '-1' to represent all types. For more information, see ICMP type and code.
 0.6
endPort If the protocol is TCP/UDP, this parameter is the end port of the port range. If the protocol is ICMP, this parameter is ICMP type.
  • For TCP/UDP: 0 - 65535.
  • For ICMP: use '-1' to represent all types. For more information, see ICMP type and code.
 0.6
allowedCidr The allowed CIDR. For more information, see Allowed CIDR. 0.6
state The rule state, which is not implemented in the current version.
  • Enabled
  • Disabled
 0.6
createDate The creation date. For more information, see Resource Property. 0.6
lastOpDate The last operation date. For more information, see Resource Property. 0.6

Sample

{
     "allowedCidr": "0.0.0.0/0",
     "state": "Enabled",
     "startPort": 22,
     "endPort": 22,
     "protocol": "TCP",
     "type": "Ingress",
     "createDate": "Nov 29, 2015 9:57:10 PM",
     "lastOpDate": "Nov 29, 2015 9:57:10 PM",
     "uuid": "a338d11be18d4e288223597682964dc8"
     "securityGroupUuid": "9e0a72fe64814900baa22f78a1b9d235"
}

Traffic Type

Traffics have two types.
  • Ingress:

    Inbound traffics that access a VM NIC.

  • Egress:

    Outbound traffics that leave from a VM NIC.

Allowed CIDR

Allowed CIDR has different meanings according to different traffic types. The format of an allowed CIDR is as follows:
ipv4_address/network_prefix
For example: 12.12.12.12/24
If the traffic type is Ingress, the allowed CIDR is a source CIDR that is allowed to access VM NICs. The following is an example of an inbound rule:
startPort: 22
endPort: 22
protocol: TCP
type: Ingress
allowedCidr: 12.12.12.12/32
The example above indicates that only TCP traffics from the IP address (12.12.12.12) are allowed to access port 22.
If the traffic type is Egress, the allowed CIDR is a destination CIDR that is allowed to leave VM NICs. The following is an example of an outbound rule:
startPort: 22
endPort: 22
protocol: TCP
type: Egress
allowedCidr: 12.12.12.12/32
The example above indicates that only TCP traffics to port 22 of the IP address (12.12.12.12) are allowed to leave.

Note that CIDR 0.0.0.0/0 represents all IP addresses.