Security Group

• 1: Overview
• 2: How-to guides
• 2.1: Security Group Logging
• 2.2: Migration Rules
• 3: API Reference
• 4: CLI Reference
• 5: Release Note

1 - Overview

Service Overview

A Security Group is a virtual logical firewall that controls inbound/outbound traffic generated on virtual servers in Samsung Cloud Platform. The resources that can have a Security Group applied include Virtual Server, Database, Kubernetes Engine, etc. A Security Group is applied to the ports of the target resource, and multiple Security Groups can be applied depending on each resource’s characteristics.

When you first create a Security Group, it blocks all inbound and outbound traffic according to the default rule (Any/Deny).

Users can specify an IP address, port, and protocol to create inbound/outbound rules, and only traffic allowed by the created rules can access the target resources.

Component

The components that make up a Security Group are as follows.

Constraints

The Security Groups of Samsung Cloud Platform have default quotas (limits) set. There is a maximum number of Security Groups that can be created and a maximum number of Security Group rules. The Samsung Cloud Platform Console is a place where you can view and manage quotas for Samsung Cloud Platform services and request quota increases for many resources.

Preceding Service

Security Group has no preceding service.

2 - How-to guides

Users can create the service by entering the required information for the Security Group service and selecting detailed options through the Samsung Cloud Platform Console.

Create Security Group

You can create and use the Security Group service in the Samsung Cloud Platform Console.

To create a Security Group, follow these steps.

1. Click the All Services > Networking > Security Group menu. Navigate to the Service Home page of the Security Group.
2. Click the Create Security Group button on the Service Home page. You will be taken to the Create Security Group page.
   • Enter the required information in the Service Information Input area.

     Category	Required status	Detailed description
     Security Group name	Required	Security Group name to create English letters, numbers, and special characters (-) can be used, and up to 255 characters can be entered Duplicate Security Group names are allowed within the project
     Whether to save logs	Select	Select whether to store Security Group logs Enabled: Store logs Disabled: Do not store logs Click Security Group Logging List Shortcut to go to the Security Group Logging list page

     Table. Security Group service information input items

* In the **Additional Information Input** area, enter or select the required information.






  



Category
Required
Detailed description




tag
Select
Add Tag
Up to 50 can be added per resource
After clicking the Add Tag button, enter or select Key and Value values


Explanation
Select
User additional description
Up to 255 characters allowed




  Table. Security Group additional information input fields

3. Check the input information and click the Create button.
   • When creation is complete, check the created resources on the Security Group List page.

Check Security Group detailed information

On the Security Group menu’s Security Group List page, you can view and edit the full resource list and detailed information.

To view detailed information about a Security Group, follow these steps.

1. Click the All Services > Networking > Security Group menu. Navigate to the Service Home page of the Security Group.
2. On the Service Home page, click the Security Group menu. You will be taken to the Security Group list page.
3. On the Security Group List page, click the resource for which you want to view detailed information. You will be taken to the Security Group Details page.
   • Security Group Details page displays status information and additional feature information, and consists of Details, Rules, Tags, Activity History tabs.

Detailed Information

Security Group List lets you view detailed information of the selected resource and edit the information when needed.

Rule

Security Group list page lets you view the rule list of the selected resource and add or delete rules.

tag

Security Group List page lets you view, add, modify, or delete tag information for the selected resource.

Job History

You can view the operation history of the selected resource on the Security Group List page.

Managing Security Group Resources

You can manage resources such as log storage settings and rule additions for a Security Group.

Using Log Storage

To save Security Group logs, follow the steps below.

1. Click the All Services > Networking > Security Group menu. Navigate to the Service Home page of the Security Group.
2. On the Service Home page, click the Security Group menu. You will be taken to the Security Group list page.
3. On the Security Group List page, click the resource (Security Group name) for which you want to store logs. You will be taken to the Security Group Details page.
4. Click the Edit icon of Log Save Status. You will be taken to the Log Save Status Edit popup window.
5. Modify Log Saving Option In the popup window, select Use for the log repository, and click the Confirm button.

Disable log storage

To stop storing Security Group logs, follow these steps.

1. Click the All Services > Networking > Security Group menu. Navigate to the Service Home page of the Security Group.
2. On the Service Home page, click the Security Group menu. You will be taken to the Security Group list page.
3. On the Security Group List page, click the resource (Security Group name) that you do not want to log. You will be taken to the Security Group Details page.
4. Click the Edit icon of Log Save Option. It navigates to the Log Save Option Edit popup.
5. Modify Log Saving Option In the popup window, deselect Use for the log repository, and click the Confirm button.
6. Notification Check the message in the popup window and click the OK button.

Add rule

To add a Security Group rule, follow the steps below.

1. Click the All Services > Networking > Security Group menu. Navigate to the Service Home page of the Security Group.

2. On the Service Home page, click the Security Group menu. You will be taken to the Security Group list page.

3. Security Group List page, click the resource (Security Group name) to which you want to add a rule. Navigate to the Security Group Details page.

4. On the Security Group Details page, click the Rules tab. You will be taken to the Rules tab page.

5. on the Rules tab, click the Add Rule button. You will be taken to the Add Rule popup.

   Category	Required	Detailed description
   Target input method	Required	Configure rule remote type CIDR: Set target address by directly entering IP Security Group: Set to target the created Security Group
   Remote > Target address	Required	If CIDR is selected, you must enter the target IP address Enter in CIDR (IP address/subnet mask) format using , and -, you can input multiple addresses at once, up to 100. Enter ‘0.0.0.0/0’ to use the entire IP range (ANY).
   Remote > Security Group	Required	When Security Group is selected, a Security Group selection is required.
   type	Required	Select protocol type to apply the rule Select destination port/Type: Select protocol type Internet Protocol: Enter protocol numbers, up to 100 can be entered All: Select the entire range for destination port/Type and protocol, meaning all ports for all protocols
   Type > Protocol	Required	Select detailed protocol for the type Select the desired protocol among TCP, UDP, and ICMP; input fields vary depending on the selected protocol When ICMP is selected in the protocol, you can set the ICMP Type Select a commonly used Type, such as Echo, from the values defined for ICMP Type Click the Add button to add an input value When TCP/UDP is selected in the protocol, you can choose allowed ports such as SSH, HTTP, etc. When entering manually, you can input values from 1 to 65,535, and you can enter up to 100 entries at once using commas (,) or ranges (-) Click the Add button to add an input value When Internet Protocol is selected in the type 1 ~ 254 Enter a protocol number within 1 to 254
   direction	Required	Target application criteria, traffic direction configuration Inbound rule: External → Server Outbound rule: Server → External
   Explanation	Select	Additional description provided by the user

   Table. Detailed items for adding Security Group rules

6. After reviewing the rules to be added, click the Confirm button.

Batch Create Rules

To add multiple Security Group rules at once, follow these steps.

1. Click the All Services > Networking > Security Group menu. Navigate to the Service Home page of the Security Group.
2. From the Service Home page, click the Security Group menu. You will be taken to the Security Group list page.
3. Security Group List page, click the resource (Security Group name) to which you want to add a rule. Security Group Details page will be displayed.
4. On the Security Group Details page, click the Rules tab. You will be taken to the Rules tab page.
5. Click the Excel Download button on the Rules tab. The bulk rule entry Excel file will be downloaded.
6. Enter the rule information into the batch rule entry Excel file, then save it.
7. More > Bulk Rule Input Click the button. Bulk Rule Input popup window opens.
8. Batch Rule Input In the popup window, click Attach File, attach the Excel file you prepared, and click Upload File.
   • You cannot upload the attached Excel file if its format differs from the registration form or if the file is encrypted.
   • You can upload up to 100 batch registration rules at a time. If you exceed the maximum number of registration rules, the upload will not be allowed.
   • If you exceed the maximum number of rules that can be registered in the Account, you cannot upload the file.
9. Rule Confirmation Check the details in the popup window and click the Confirm button.

Delete rule

To delete a Security Group rule, follow these steps.

1. Click the All Services > Networking > Security Group menu. Navigate to the Service Home page of the Security Group.
2. On the Service Home page, click the Security Group menu. You will be taken to the Security Group list page.
3. Security Group List page, click the resource (Security Group name) for which you want to add a rule. Security Group Details page will be displayed.
4. On the Security Group Details page, click the Rules tab. You will be taken to the Rules tab page.
5. In the Rules tab, click the Delete button for the rule you want to delete.

Terminate Security Group

You can delete unused Security Groups.

To delete a Security Group, follow these steps.

1. Click the All Services > Networking > Security Group menu. Navigate to the Service Home page of the Security Group.
2. Click the Security Group menu on the Service Home page. You will be taken to the Security Group List page.
3. On the Security Group List page, select the resource (Security Group name) to terminate, and click the Terminate Service button.
4. After termination is complete, check on the Security Group list page whether the resource has been deleted.

2.1 - Security Group Logging

To store Security Group logs, first create a bucket in Object Storage for log storage and configure that bucket in the Security Group Logging repository. Then, on the Security Group Details page, set up log storage, and the Security Group logs will be saved to the Object Storage bucket.

To save Security Group logs, follow these steps.

1. To store Security Group logs, you can create a bucket in Object Storage or use an existing bucket. To create a bucket, refer to Object Storage 생성하기.
2. To configure the bucket for the log repository of Security Group Logging, refer to Security Group Logging Log Repository Setup.
3. In the Security Group detail view, to set log storage to Enabled, please refer to Security Group Enable Log Storage.

Security Group Logging Configure log storage usage

To set the log storage option of a Security Group to Enabled, you must first configure a log repository in Security Group Logging.

To enable the log repository for Security Group Logging, follow these steps.

1. All Services > Management > Network Logging > Security Group Logging Click the menu. You will be taken to the Security Group Logging List page.
2. On the Security Group Logging List page, click the Log Storage Settings button at the top. You will be taken to the Log Storage Settings popup.
3. Log storage settings In the popup window, select the log storage bucket. When you select a bucket, the log storage path is displayed.
4. Log storage settings In the popup window, after checking Log storage bucket and Log storage path, click the Confirm button.
5. Notification After reviewing the message in the popup window, click the Confirm button.

Query Security Group Logging List

If you configure the log storage bucket for Security Group Logging, you can view the Security Group Logging list.

To view the Security Group Logging list, follow these steps.

1. Click the All Services > Management > Network Logging > Security Group Logging menu. Navigate to the Security Group Logging List page.
2. Security Group Logging List page, verify the resources in use and the log storage targets.

   Category	Detailed description
   Resource ID	Security Group ID
   Save target	Security Group name
   Save registration date and time	Security Group log storage registration timestamp

   Table. Security Group Logging list items
   Reference

   After configuring the log repository for Security Group Logging, you must set the log storage option to Enabled in the Security Group detail view for logging to begin. For more details, see Security Group Log Storage Usage.

Security Group Logging Check detailed information

The stored logs have different detailed information depending on the protocol. Refer to the information below to view the details.

TCP / UDP

ICMP

IP

Security Group Logging Disable Log Storage Configuration

In Security Group Logging, you can set the log storage to unused.

To disable the log repository for Security Group Logging, follow these steps.

1. Click the All Services > Management > Network Logging > Security Group Logging menu. You will be taken to the Security Group Logging List page.
2. Security Group Logging List page, click the top Log Storage Settings icon. You will be taken to the Log Storage Settings popup window.
3. Log storage configuration in the popup window, select log storage bucket as Not used, and click the Confirm button.

2.2 - Migration Rules

Users can retrieve rules created in the V1 environment of the Samsung Cloud Platform Console and apply them to the V2 service.

Getting Security Group Rules

You can import rules created in the V1 environment of the Samsung Cloud Platform Console and migrate them to the V2 service for use.

To retrieve the Security Group rules of V1, follow these steps.

1. All Services > Networking > Security Group menu, click it. 1. Navigate to the Service Home page of the Security Group.

2. On the Service Home page, click the Migration Rules menu. 2. Go to the Migration Rules page.

3. Select the rule information to retrieve from the Migration Rules page and click Done.

   Category	Detailed description
   Original rule environment	SCP v1 (Vmware) Auto-select
   Applicable target	Select the Security Group list in the account to apply the transferred rule
   Get rules	Click the Attach File button to upload the decrypted Security Group rule file After decrypting and saving the rule file extracted from the original environment, upload it
   Rule List	View uploaded Security Group rule file details Delete: Delete selected rule Edit: Modify selected rule information, see [Edit transferred Security Group rule](#이관할-Security Group-규칙-수정하기) for details

   Table. Migration Rules detailed items

4. After the Security Group rule transfer request is completed, verify that the transfer item has been added to the Security Group list.

Modify the Security Group rules to be transferred

You can edit each item when retrieving rules created in the V1 environment of the Samsung Cloud Platform Console.

To modify the Security Group rules to be imported from V1, follow these steps.

1. All Services > Networking > Security Group Click the menu. 1. Navigate to the Service Home page of the Security Group.

2. On the Service Home page, click the Migration Rules menu. 2. Go to the Migration Rules page.

3. In the rule import section, click Attach File to upload the Security Group rule file.

4. In the rule list, click Edit for the rule item you want to modify.

   Category	Required or not	Detailed description
   Target Input Method	Required	Remote rule type setting CIDR: Set the target address by entering the IP directly Security Group: Set to the created Security Group
   Remote > Target address	Essential	If CIDR is selected, you need to enter the target IP address Enter in CIDR (IP address/subnet mask) format , using and - you can input multiple addresses up to 100 at once. To use the entire IP range (ANY), enter ‘0.0.0.0/0’
   Remote > Security Group	Essential	When Security Group is selected, a Security Group must be chosen.
   type	Required	Select protocol type to which the rule will be applied Select destination port/Type: Select protocol type Internet Protocol: Enter protocol numbers, up to 100 entries allowed All: Select destination port/Type and protocol for the entire range, meaning all ports for all protocols
   Type > Protocol	Required	Select detailed protocol for the type Select the desired protocol among TCP, UDP, and ICMP; input fields vary depending on the selected protocol When ICMP is selected in the protocol, you can set the ICMP Type Select a commonly used Type, such as Echo, from the values defined for ICMP Type Click the Add button to add an input value When TCP/UDP is selected in the protocol, you can choose allowed ports such as SSH, HTTP, etc. When entering manually, you can input values from 1 to 65,535, and you can enter up to 100 entries at once using commas (,) or ranges (-) Click the Add button to add an input value When Internet Protocol is selected in the type 1 ~ 254 Enter a protocol number within the range
   direction	Essential	Set the traffic direction for the applicable target Inbound rule: external → server Outbound rule: server → external
   Explanation	Selection	Additional description written by the user

   Table. Detailed items of the Security Group rule edit window

5. When the rule information edit is complete, click Confirm in the edit window.

6. Review the edited rule information and click Done.

3 - API Reference

4 - CLI Reference

5 - Release Note

Security Group