Filter
Top Products
Chapter 16. Managing Networks and Traffic
152
• Network Domain: A custom DNS suffix at the level of a network. If you want to assign a special
domain name to the guest VM network, specify a DNS suffix.
11. Click OK to confirm.
16.6. Using Security Groups to Control Traffic to VMs
16.6.1. About Security Groups
Security groups provide a way to isolate traffic to VMs. A security group is a group of VMs that filter
their incoming and outgoing traffic according to a set of rules, called ingress and egress rules. These
rules filter network traffic according to the IP address that is attempting to communicate with the VM.
Security groups are particularly useful in zones that use basic networking, because there is a single
guest network for all guest VMs. In advanced zones, security groups are supported only on the KVM
hypervisor.
Note
In a zone that uses advanced networking, you can instead define multiple guest networks to
isolate traffic to VMs.
Each CloudPlatform account comes with a default security group that denies all inbound traffic and
allows all outbound traffic. The default security group can be modified so that all new VMs inherit some
other desired set of rules.
Any CloudPlatform user can set up any number of additional security groups. When a new VM is
launched, it is assigned to the default security group unless another user-defined security group is
specified. A VM can be a member of any number of security groups. Once a VM is assigned to a
security group, it remains in that group for its entire lifetime; you can not move a running VM from one
security group to another.
You can modify a security group by deleting or adding any number of ingress and egress rules. When
you do, the new rules apply to all VMs in the group, whether running or stopped.
If no ingress rules are specified, then no traffic will be allowed in, except for responses to any traffic
that has been allowed out through an egress rule.
16.6.2. Security Groups in Advanced Zones (KVM Only)
CloudPlatform provides the ability to use security groups to provide isolation between guests on a
single shared, zone-wide network in an advanced zone where KVM is the hypervisor. Using security
groups in advanced zones rather than multiple VLANs allows a greater range of options for setting up
guest isolation in a cloud.
Limitation
Multiple VLAN ranges in a security group-enabled shared network are not supported.
Security groups must be enabled in the zone in order for this feature to be used.