SecurityGroup Management Guide - cloud-barista/cb-spider GitHub Wiki
Security Group Management Guide
1. CB-Spider Security Group Overview
- Users can create Security Groups to control inbound/outbound network traffic for VMs.
- Security Groups belong to a specific VPC and can contain one or more security rules.
- CB-Spider Security Groups operate by defining Allow Rules.
- The relationship between Security Groups and VMs is shown in the diagram below.
┌─────────────────────────────────────────────────────────────┐
│ CB-Spider Security Group │
│ │
│ VPC (10.0.0.0/16) │
│ ├── SecurityGroup-1 │
│ │ ├── Rule: Inbound TCP 22 from 0.0.0.0/0 │
│ │ ├── Rule: Inbound TCP 80 from 0.0.0.0/0 │
│ │ └── Rule: Outbound ALL -1 to 0.0.0.0/0 │
│ │ └── Applied to: VM-1, VM-2 │
│ │ │
│ └── SecurityGroup-2 │
│ ├── Rule: Inbound TCP 3306 from 10.0.0.0/16 │
│ ├── Rule: Outbound ALL -1 to 0.0.0.0/0 │
│ └── Applied to: VM-3 │
└─────────────────────────────────────────────────────────────┘
1.1 Default Security Rules
When creating a Security Group, the default rules are as follows (visibility may vary by CSP):
- inbound: Block all traffic
- outbound: Allow all traffic
1.2 Security Rule Attributes
Each Security Rule is defined by the following attributes:
| Attribute | Description | Examples |
|---|---|---|
| Direction | Traffic direction | inbound | outbound |
| IPProtocol | Target protocol | ALL, TCP, UDP, ICMP |
| FromPort | Starting port | TCP/UDP: 1~65535ICMP/ALL: -1 |
| ToPort | Ending port | TCP/UDP: 1~65535ICMP/ALL: -1 |
| CIDR | Target address range | 0.0.0.0/0, ::/0, 10.0.0.0/16, etc. |
2. CB-Spider Security Group API and Information Specification
- Users can receive Security Group information in JSON format using the following CB-Spider REST API.
2.1 Security Group Management API
# Security Group Management
POST /spider/securitygroup - Create SecurityGroup
GET /spider/securitygroup - List SecurityGroups
GET /spider/securitygroup/vpc/{VPCName} - List SecurityGroups in VPC
GET /spider/securitygroup/{Name} - Get SecurityGroup
DELETE /spider/securitygroup/{Name} - Delete SecurityGroup
# Security Group Registration/Unregistration (Integration with existing CSP Security Group)
POST /spider/regsecuritygroup - Register SecurityGroup
DELETE /spider/regsecuritygroup/{Name} - Unregister SecurityGroup
# Security Group List Query (All)
GET /spider/allsecuritygroup - List All SecurityGroups (CB-Spider + CSP)
GET /spider/allsecuritygroupinfo - List All SecurityGroups Info
# Security Group Statistics
GET /spider/countsecuritygroup - Count All SecurityGroups
GET /spider/countsecuritygroup/{ConnectionName} - Count SecurityGroups by Connection
# Direct CSP Security Group Deletion
DELETE /spider/cspsecuritygroup/{Id} - Delete CSP SecurityGroup
2.2 Security Rules Management API
# Security Rules Add/Remove
POST /spider/securitygroup/{SGName}/rules - Add Rules
DELETE /spider/securitygroup/{SGName}/rules - Remove Rules
2.3 Information Specification
Security Group Information (SecurityInfo)
| Field | Description | Examples |
|---|---|---|
| IId | Security Group identifier information (NameId, SystemId) | ● {Name: "sg-01", SystemId: "sg-1234abcd"} |
| VpcIID | VPC identifier information (NameId, SystemId) | ● {Name: "vpc-01", SystemId: "vpc-5678efgh"} |
| SecurityRules | List of Security Rule information | ● See Security Rule information below |
| TagList | List of tags assigned to the Security Group | ● [{Key: "Environment", Value: "Production"}] |
| KeyValueList | Additional information provided by CSP in Key/Value List format | ● [{Key: "GroupId", Value: "sg-1234"}] |
Security Rule Information (SecurityRuleInfo)
| Field | Description | Examples |
|---|---|---|
| Direction | Traffic direction | ● "inbound", "outbound" |
| IPProtocol | Protocol type | ● "TCP", "UDP", "ICMP", "ALL" |
| FromPort | Starting port number | ● "22", "80", "1", "-1"(ALL/ICMP) |
| ToPort | Ending port number | ● "22", "80", "65535", "-1"(ALL/ICMP) |
| CIDR | Target IP address range (CIDR notation) | ● "0.0.0.0/0", "10.0.0.0/16", "::/0" |
Protocol-specific Security Rule Details
| Direction | IPProtocol | FromPort | ToPort | CIDR | Note |
|---|---|---|---|---|---|
| inbound, outbound | ALL | -1 | -1 | 0.0.0.0/0, ::/0, etc. | Allow all traffic |
| inbound, outbound | TCP | 1~65535 | 1~65535 | 0.0.0.0/0, etc. | e.g., SSH(22), HTTP(80), HTTPS(443) |
| inbound, outbound | UDP | 1~65535 | 1~65535 | 0.0.0.0/0, etc. | e.g., DNS(53), NTP(123) |
| inbound, outbound | ICMP | -1 | -1 | 0.0.0.0/0, etc. | Network layer, no port needede.g., ping, traceroute |
3. CB-Spider Security Group API and Information Examples
3.1 Security Group Creation Example
- API call and result example for creating an
sg-webSecurity Group allowing SSH and HTTP access in AWS:
curl -sX 'POST' 'http://localhost:1024/spider/securitygroup' \
-H 'Content-Type: application/json' \
-d '{
"ConnectionName": "aws-config01",
"ReqInfo": {
"Name": "sg-web",
"VPCName": "vpc-01",
"SecurityRules": [
{
"Direction": "inbound",
"IPProtocol": "TCP",
"FromPort": "22",
"ToPort": "22",
"CIDR": "0.0.0.0/0"
},
{
"Direction": "inbound",
"IPProtocol": "TCP",
"FromPort": "80",
"ToPort": "80",
"CIDR": "0.0.0.0/0"
},
{
"Direction": "inbound",
"IPProtocol": "TCP",
"FromPort": "443",
"ToPort": "443",
"CIDR": "0.0.0.0/0"
},
{
"Direction": "outbound",
"IPProtocol": "ALL",
"FromPort": "-1",
"ToPort": "-1",
"CIDR": "0.0.0.0/0"
}
]
}
}' | jq
Response Example:
{
"IId": {
"NameId": "sg-web",
"SystemId": "sg-0a1b2c3d4e5f67890"
},
"VpcIID": {
"NameId": "vpc-01",
"SystemId": "vpc-1a2b3c4d"
},
"SecurityRules": [
{
"Direction": "inbound",
"IPProtocol": "TCP",
"FromPort": "22",
"ToPort": "22",
"CIDR": "0.0.0.0/0"
},
{
"Direction": "inbound",
"IPProtocol": "TCP",
"FromPort": "80",
"ToPort": "80",
"CIDR": "0.0.0.0/0"
},
{
"Direction": "inbound",
"IPProtocol": "TCP",
"FromPort": "443",
"ToPort": "443",
"CIDR": "0.0.0.0/0"
},
{
"Direction": "outbound",
"IPProtocol": "ALL",
"FromPort": "-1",
"ToPort": "-1",
"CIDR": "0.0.0.0/0"
}
],
"KeyValueList": [
{
"Key": "GroupId",
"Value": "sg-0a1b2c3d4e5f67890"
},
{
"Key": "GroupName",
"Value": "sg-web"
}
]
}
3.2 Security Group Query Example
- API call and provided information example for AWS
sg-webSecurity Group:
curl -sX 'GET' 'http://localhost:1024/spider/securitygroup/sg-web?ConnectionName=aws-config01' | jq
Response Example:
{
"IId": {
"NameId": "sg-web",
"SystemId": "sg-0a1b2c3d4e5f67890"
},
"VpcIID": {
"NameId": "vpc-01",
"SystemId": "vpc-1a2b3c4d"
},
"SecurityRules": [
{
"Direction": "inbound",
"IPProtocol": "TCP",
"FromPort": "22",
"ToPort": "22",
"CIDR": "0.0.0.0/0"
},
{
"Direction": "inbound",
"IPProtocol": "TCP",
"FromPort": "80",
"ToPort": "80",
"CIDR": "0.0.0.0/0"
},
{
"Direction": "inbound",
"IPProtocol": "TCP",
"FromPort": "443",
"ToPort": "443",
"CIDR": "0.0.0.0/0"
},
{
"Direction": "outbound",
"IPProtocol": "ALL",
"FromPort": "-1",
"ToPort": "-1",
"CIDR": "0.0.0.0/0"
}
]
}
3.3 Security Group List Query Example
curl -sX 'GET' 'http://localhost:1024/spider/securitygroup?ConnectionName=aws-config01' | jq
Response Example:
{
"securitygroup": [
{
"IId": {
"NameId": "sg-web",
"SystemId": "sg-0a1b2c3d4e5f67890"
},
"VpcIID": {
"NameId": "vpc-01",
"SystemId": "vpc-1a2b3c4d"
},
"SecurityRules": [...]
},
{
"IId": {
"NameId": "sg-db",
"SystemId": "sg-1b2c3d4e5f678901"
},
"VpcIID": {
"NameId": "vpc-01",
"SystemId": "vpc-1a2b3c4d"
},
"SecurityRules": [...]
}
]
}
3.4 VPC Security Group List Query Example
curl -sX 'GET' 'http://localhost:1024/spider/securitygroup/vpc/vpc-01?ConnectionName=aws-config01' | jq
Response Example:
{
"securitygroup": [
{
"IId": {
"NameId": "sg-web",
"SystemId": "sg-0a1b2c3d4e5f67890"
},
"VpcIID": {
"NameId": "vpc-01",
"SystemId": "vpc-1a2b3c4d"
},
"SecurityRules": [...]
}
]
}
3.5 Security Rules Addition Example
- API call example for adding new rules to an existing Security Group:
curl -sX 'POST' 'http://localhost:1024/spider/securitygroup/sg-web/rules' \
-H 'Content-Type: application/json' \
-d '{
"ConnectionName": "aws-config01",
"ReqInfo": {
"RuleInfoList": [
{
"Direction": "inbound",
"IPProtocol": "TCP",
"FromPort": "3306",
"ToPort": "3306",
"CIDR": "10.0.0.0/16"
},
{
"Direction": "inbound",
"IPProtocol": "ICMP",
"FromPort": "-1",
"ToPort": "-1",
"CIDR": "0.0.0.0/0"
}
]
}
}' | jq
Response Example:
{
"IId": {
"NameId": "sg-web",
"SystemId": "sg-0a1b2c3d4e5f67890"
},
"VpcIID": {
"NameId": "vpc-01",
"SystemId": "vpc-1a2b3c4d"
},
"SecurityRules": [
{
"Direction": "inbound",
"IPProtocol": "TCP",
"FromPort": "22",
"ToPort": "22",
"CIDR": "0.0.0.0/0"
},
{
"Direction": "inbound",
"IPProtocol": "TCP",
"FromPort": "80",
"ToPort": "80",
"CIDR": "0.0.0.0/0"
},
{
"Direction": "inbound",
"IPProtocol": "TCP",
"FromPort": "443",
"ToPort": "443",
"CIDR": "0.0.0.0/0"
},
{
"Direction": "inbound",
"IPProtocol": "TCP",
"FromPort": "3306",
"ToPort": "3306",
"CIDR": "10.0.0.0/16"
},
{
"Direction": "inbound",
"IPProtocol": "ICMP",
"FromPort": "-1",
"ToPort": "-1",
"CIDR": "0.0.0.0/0"
},
{
"Direction": "outbound",
"IPProtocol": "ALL",
"FromPort": "-1",
"ToPort": "-1",
"CIDR": "0.0.0.0/0"
}
]
}
3.6 Security Rules Removal Example
curl -sX 'DELETE' 'http://localhost:1024/spider/securitygroup/sg-web/rules' \
-H 'Content-Type: application/json' \
-d '{
"ConnectionName": "aws-config01",
"ReqInfo": {
"RuleInfoList": [
{
"Direction": "inbound",
"IPProtocol": "TCP",
"FromPort": "3306",
"ToPort": "3306",
"CIDR": "10.0.0.0/16"
}
]
}
}' | jq
Response Example:
{
"Result": "true"
}
3.7 Security Group Deletion Example
curl -sX 'DELETE' 'http://localhost:1024/spider/securitygroup/sg-web' \
-H 'Content-Type: application/json' \
-d '{
"ConnectionName": "aws-config01"
}' | jq
Response Example:
{
"Result": "true"
}
3.8 Force Delete Example
- Use the
force=trueoption to forcefully delete a Security Group connected to VMs.
curl -sX 'DELETE' 'http://localhost:1024/spider/securitygroup/sg-web?force=true' \
-H 'Content-Type: application/json' \
-d '{
"ConnectionName": "aws-config01"
}' | jq
4. CB-Spider Security Group AdminWeb Examples
-
Follow these steps to select the target CSP and manage Security Group information:
- Select Connection: Choose the target CSP Connection from the top of AdminWeb
- Access Security Group Menu: Select "Security Group" from the left menu
- Create Security Group: Click "Create SecurityGroup" button and enter required information
- Manage Security Rules: Add/delete Rules from the Security Group details screen
4.1 Security Group List Screen Example
When viewing the Security Group list in AdminWeb, the following information is displayed:
- Security Group Name
- Security Group SystemId (CSP ID)
- VPC Name
- Number of Rules
- Creation Time
- Action Buttons (Details, Delete, etc.)
4.2 Security Group Creation Screen Example
When creating a Security Group in AdminWeb, enter the following information:
- Security Group Name: Security Group name to be managed in CB-Spider
- VPC Name: VPC to which the Security Group belongs
- Security Rules (at least 1 recommended):
- Direction (inbound/outbound)
- Protocol (ALL/TCP/UDP/ICMP)
- Port Range (FromPort ~ ToPort)
- CIDR (IP address range)
- Tags (optional)
4.3 Security Group Details Screen Example
The Security Group details screen provides the following information and actions:
Basic Information:
- Security Group IId (NameId, SystemId)
- VPC IId (NameId, SystemId)
- KeyValueList (Additional CSP information)
Security Rules Management:
- Display Security Rules list
- Add Rules button: Add new Rule
- Remove Rules button: Delete individual Rule
- View Rule details (Direction, Protocol, Port, CIDR)
Action Buttons:
- Delete SecurityGroup: Delete Security Group
- Refresh: Refresh information
5. Main Usage Scenarios
5.1 Web Server Security Group Configuration
- Create Security Group (Create SecurityGroup)
- Add Inbound Rules:
- SSH: TCP 22 from administrator IP
- HTTP: TCP 80 from 0.0.0.0/0
- HTTPS: TCP 443 from 0.0.0.0/0
- Outbound Rules: ALL -1 to 0.0.0.0/0 (default)
- Specify the Security Group when creating VMs
5.2 Database Server Security Group Configuration
- Create Security Group
- Add Inbound Rules:
- MySQL: TCP 3306 from application server CIDR (e.g., 10.0.1.0/24)
- SSH: TCP 22 from administrator IP
- Outbound Rules: Configure restrictively as needed
- Apply the Security Group to DB server VM
5.3 Integration with Existing CSP Security Group
- Check the information (SystemId) of Security Group that already exists in CSP
- Register to CB-Spider through Register SecurityGroup API
- Manage the Security Group in CB-Spider and add/delete Rules
5.4 Multi-Tier Architecture Configuration
-
Web Tier Security Group:
- Inbound: TCP 80, 443 from Internet
- Outbound: TCP 3000 to App Tier CIDR
-
App Tier Security Group:
- Inbound: TCP 3000 from Web Tier CIDR
- Outbound: TCP 3306 to DB Tier CIDR
-
DB Tier Security Group:
- Inbound: TCP 3306 from App Tier CIDR
- Outbound: Minimum privilege
6. Precautions and Limitations
6.1 Security Rules Configuration Precautions
- CIDR Configuration:
0.0.0.0/0allows all IPs, requiring security caution - Port Range: Maintain FromPort ≤ ToPort relationship
- Protocol-specific Port Configuration:
- TCP/UDP: Use 1~65535 range
- ICMP/ALL: Use -1 (no port concept)
- Duplicate Rules: Behavior may vary by CSP when adding identical rules
6.2 Security Group Deletion
- Security Groups connected to VMs cannot be deleted
- Force delete (force=true) may change the Security Group settings of connected VMs (Caution!)
- Default Security Group cannot be deleted (CSP policy)
6.3 Security Rules Change Effect Time
- Time for actual effect after AddRules()/RemoveRules() call:
- Generally: 7~10 seconds
- Azure: 60~80 seconds (requires longer wait time)
- Previous rules may still apply if tested immediately after rule changes, so sufficient waiting is necessary
6.4 Protocol and Port Related
- ALL Protocol: Means all traffic, port set to -1
- ICMP Protocol: Network layer protocol with no port concept, set to -1