SecurityGroup Management Guide(KR) - cloud-barista/cb-spider GitHub Wiki
Security Group Management Guide
1. CB-Spider Security Group κ°μ
- μ¬μ©μλ Security Groupμ μμ±νμ¬ VMμ inbound/outbound λ€νΈμν¬ νΈλν½μ μ μ΄ν μ μλ€.
- Security Groupμ νΉμ VPCμ μμλλ©°, νλ μ΄μμ 보μ κ·μΉ(Security Rules)μ ν¬ν¨ν μ μλ€.
- CB-Spider Security Groupμ νμ© κ·μΉ(Allow Rule)μ μ μνλ λ°©μμΌλ‘ λμνλ€.
- Security Groupκ³Ό VM κ°μ κ΄κ³λ μλ κ·Έλ¦Όκ³Ό κ°λ€.
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β CB-Spider Security Group β
β β
β VPC (10.0.0.0/16) β
β βββ SecurityGroup-1 β
β β βββ Rule: Inbound TCP 22 from 0.0.0.0/0 β
β β βββ Rule: Inbound TCP 80 from 0.0.0.0/0 β
β β βββ Rule: Outbound ALL -1 to 0.0.0.0/0 β
β β βββ Applied to: VM-1, VM-2 β
β β β
β βββ SecurityGroup-2 β
β βββ Rule: Inbound TCP 3306 from 10.0.0.0/16 β
β βββ Rule: Outbound ALL -1 to 0.0.0.0/0 β
β βββ Applied to: VM-3 β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
1.1 Default Security Rules
Security Group μμ± μ default Ruleμ λ€μκ³Ό κ°μΌλ©°, CSPλ³λ‘ κ΄λ ¨ Ruleμ΄ λ³΄μΌ μλ μκ³ μλ³΄μΌ μλ μλ€:
- inbound: λͺ¨λ νΈλν½ μ°¨λ¨
- outbound: λͺ¨λ νΈλν½ νμ©
1.2 Security Rule μμ±
κ° Security Ruleμ λ€μκ³Ό κ°μ μμ±μΌλ‘ μ μλλ€:
| μμ± | μ€λͺ | μμ |
|---|---|---|
| Direction | νΈλν½ λ°©ν₯ | inbound | outbound |
| IPProtocol | λμ νλ‘ν μ½ | ALL, TCP, UDP, ICMP |
| FromPort | μμ ν¬νΈ | TCP/UDP: 1~65535ICMP/ALL: -1 |
| ToPort | μ’ λ£ ν¬νΈ | TCP/UDP: 1~65535ICMP/ALL: -1 |
| CIDR | μ μ© λμ μ£Όμ λ²μ | 0.0.0.0/0, ::/0, 10.0.0.0/16 λ± |
2. CB-Spider Security Group API λ° μ 곡 μ 보 κ·κ²©
- μ¬μ©μλ λ€μκ³Ό κ°μ CB-Spider REST APIλ₯Ό μ΄μ©νμ¬ Security Group μ 보λ₯Ό JSON κ·κ²©μΌλ‘ μ 곡λ°λλ€.
2.1 Security Group κ΄λ¦¬ API
# Security Group κ΄λ¦¬
POST /spider/securitygroup - Create SecurityGroup
GET /spider/securitygroup - List SecurityGroups
GET /spider/securitygroup/vpc/{VPCName} - List SecurityGroups in VPC
GET /spider/securitygroup/{Name} - Get SecurityGroup
DELETE /spider/securitygroup/{Name} - Delete SecurityGroup
# Security Group λ±λ‘/ν΄μ (κΈ°μ‘΄ CSP Security Group μ°λ)
POST /spider/regsecuritygroup - Register SecurityGroup
DELETE /spider/regsecuritygroup/{Name} - Unregister SecurityGroup
# Security Group λͺ©λ‘ μ‘°ν (μ 체)
GET /spider/allsecuritygroup - List All SecurityGroups (CB-Spider + CSP)
GET /spider/allsecuritygroupinfo - List All SecurityGroups Info
# Security Group ν΅κ³
GET /spider/countsecuritygroup - Count All SecurityGroups
GET /spider/countsecuritygroup/{ConnectionName} - Count SecurityGroups by Connection
# CSP Security Group μ§μ μμ
DELETE /spider/cspsecuritygroup/{Id} - Delete CSP SecurityGroup
2.2 Security Rules κ΄λ¦¬ API
# Security Rules μΆκ°/μμ
POST /spider/securitygroup/{SGName}/rules - Add Rules
DELETE /spider/securitygroup/{SGName}/rules - Remove Rules
2.3 μ 곡 μ 보 κ·κ²©
Security Group μ 보 (SecurityInfo)
| νλ | μ€λͺ | μμ |
|---|---|---|
| IId | Security Groupμ μλ³μ μ 보 (NameId, SystemId) | β {Name: "sg-01", SystemId: "sg-1234abcd"} |
| VpcIID | μμ VPCμ μλ³μ μ 보 (NameId, SystemId) | β {Name: "vpc-01", SystemId: "vpc-5678efgh"} |
| SecurityRules | Security Rule μ 보 리μ€νΈ | β μλ Security Rule μ 보 μ°Έμ‘° |
| TagList | Security Groupμ ν λΉλ νκ·Έ 리μ€νΈ | β [{Key: "Environment", Value: "Production"}] |
| KeyValueList | CSPκ° μ 곡νλ μΆκ° μ 보λ₯Ό Key/Value List ννλ‘ μ 곡 | β [{Key: "GroupId", Value: "sg-1234"}] |
Security Rule μ 보 (SecurityRuleInfo)
| νλ | μ€λͺ | μμ |
|---|---|---|
| Direction | νΈλν½ λ°©ν₯ | β "inbound", "outbound" |
| IPProtocol | νλ‘ν μ½ μ ν | β "TCP", "UDP", "ICMP", "ALL" |
| FromPort | μμ ν¬νΈ λ²νΈ | β "22", "80", "1", "-1"(ALL/ICMP) |
| ToPort | μ’ λ£ ν¬νΈ λ²νΈ | β "22", "80", "65535", "-1"(ALL/ICMP) |
| CIDR | μ μ© λμ IP μ£Όμ λ²μ (CIDR νκΈ°) | β "0.0.0.0/0", "10.0.0.0/16", "::/0" |
νλ‘ν μ½λ³ Security Rule μΈλΆ κ·μΉ
| Direction | IPProtocol | FromPort | ToPort | CIDR | λΉκ³ |
|---|---|---|---|---|---|
| inbound, outbound | ALL | -1 | -1 | 0.0.0.0/0, ::/0 λ± | λͺ¨λ νΈλν½ νμ© |
| inbound, outbound | TCP | 1~65535 | 1~65535 | 0.0.0.0/0 λ± | μ: SSH(22), HTTP(80), HTTPS(443) |
| inbound, outbound | UDP | 1~65535 | 1~65535 | 0.0.0.0/0 λ± | μ: DNS(53), NTP(123) |
| inbound, outbound | ICMP | -1 | -1 | 0.0.0.0/0 λ± | λ€νΈμν¬ κ³μΈ΅, ν¬νΈ λΆνμμ: ping, traceroute |
3. CB-Spider Security Group API λ° μ 곡 μ 보 μμ
3.1 Security Group μμ± μμ
- AWSμμ SSHμ HTTP μ κ·Όμ νμ©νλ
sg-webSecurity Groupμ μμ±νλ API νΈμΆ λ° κ²°κ³Ό μμκ° λ€μκ³Ό κ°λ€.
curl -sX 'POST' 'http://localhost:1024/spider/securitygroup' \
-H 'Content-Type: application/json' \
-d '{
"ConnectionName": "aws-config01",
"ReqInfo": {
"Name": "sg-web",
"VPCName": "vpc-01",
"SecurityRules": [
{
"Direction": "inbound",
"IPProtocol": "TCP",
"FromPort": "22",
"ToPort": "22",
"CIDR": "0.0.0.0/0"
},
{
"Direction": "inbound",
"IPProtocol": "TCP",
"FromPort": "80",
"ToPort": "80",
"CIDR": "0.0.0.0/0"
},
{
"Direction": "inbound",
"IPProtocol": "TCP",
"FromPort": "443",
"ToPort": "443",
"CIDR": "0.0.0.0/0"
},
{
"Direction": "outbound",
"IPProtocol": "ALL",
"FromPort": "-1",
"ToPort": "-1",
"CIDR": "0.0.0.0/0"
}
]
}
}' | jq
μλ΅ μμ:
{
"IId": {
"NameId": "sg-web",
"SystemId": "sg-0a1b2c3d4e5f67890"
},
"VpcIID": {
"NameId": "vpc-01",
"SystemId": "vpc-1a2b3c4d"
},
"SecurityRules": [
{
"Direction": "inbound",
"IPProtocol": "TCP",
"FromPort": "22",
"ToPort": "22",
"CIDR": "0.0.0.0/0"
},
{
"Direction": "inbound",
"IPProtocol": "TCP",
"FromPort": "80",
"ToPort": "80",
"CIDR": "0.0.0.0/0"
},
{
"Direction": "inbound",
"IPProtocol": "TCP",
"FromPort": "443",
"ToPort": "443",
"CIDR": "0.0.0.0/0"
},
{
"Direction": "outbound",
"IPProtocol": "ALL",
"FromPort": "-1",
"ToPort": "-1",
"CIDR": "0.0.0.0/0"
}
],
"KeyValueList": [
{
"Key": "GroupId",
"Value": "sg-0a1b2c3d4e5f67890"
},
{
"Key": "GroupName",
"Value": "sg-web"
}
]
}
3.2 Security Group μ‘°ν μμ
- AWS
sg-webSecurity Group μ 보 νΈμΆ API λ° μ 곡 μ 보 μμκ° λ€μκ³Ό κ°λ€.
curl -sX 'GET' 'http://localhost:1024/spider/securitygroup/sg-web?ConnectionName=aws-config01' | jq
μλ΅ μμ:
{
"IId": {
"NameId": "sg-web",
"SystemId": "sg-0a1b2c3d4e5f67890"
},
"VpcIID": {
"NameId": "vpc-01",
"SystemId": "vpc-1a2b3c4d"
},
"SecurityRules": [
{
"Direction": "inbound",
"IPProtocol": "TCP",
"FromPort": "22",
"ToPort": "22",
"CIDR": "0.0.0.0/0"
},
{
"Direction": "inbound",
"IPProtocol": "TCP",
"FromPort": "80",
"ToPort": "80",
"CIDR": "0.0.0.0/0"
},
{
"Direction": "inbound",
"IPProtocol": "TCP",
"FromPort": "443",
"ToPort": "443",
"CIDR": "0.0.0.0/0"
},
{
"Direction": "outbound",
"IPProtocol": "ALL",
"FromPort": "-1",
"ToPort": "-1",
"CIDR": "0.0.0.0/0"
}
]
}
3.3 Security Group λͺ©λ‘ μ‘°ν μμ
curl -sX 'GET' 'http://localhost:1024/spider/securitygroup?ConnectionName=aws-config01' | jq
μλ΅ μμ:
{
"securitygroup": [
{
"IId": {
"NameId": "sg-web",
"SystemId": "sg-0a1b2c3d4e5f67890"
},
"VpcIID": {
"NameId": "vpc-01",
"SystemId": "vpc-1a2b3c4d"
},
"SecurityRules": [...]
},
{
"IId": {
"NameId": "sg-db",
"SystemId": "sg-1b2c3d4e5f678901"
},
"VpcIID": {
"NameId": "vpc-01",
"SystemId": "vpc-1a2b3c4d"
},
"SecurityRules": [...]
}
]
}
3.4 VPCλ³ Security Group λͺ©λ‘ μ‘°ν μμ
curl -sX 'GET' 'http://localhost:1024/spider/securitygroup/vpc/vpc-01?ConnectionName=aws-config01' | jq
μλ΅ μμ:
{
"securitygroup": [
{
"IId": {
"NameId": "sg-web",
"SystemId": "sg-0a1b2c3d4e5f67890"
},
"VpcIID": {
"NameId": "vpc-01",
"SystemId": "vpc-1a2b3c4d"
},
"SecurityRules": [...]
}
]
}
3.5 Security Rules μΆκ° μμ
- κΈ°μ‘΄ Security Groupμ μλ‘μ΄ Ruleμ μΆκ°νλ API νΈμΆ μμκ° λ€μκ³Ό κ°λ€.
curl -sX 'POST' 'http://localhost:1024/spider/securitygroup/sg-web/rules' \
-H 'Content-Type: application/json' \
-d '{
"ConnectionName": "aws-config01",
"ReqInfo": {
"RuleInfoList": [
{
"Direction": "inbound",
"IPProtocol": "TCP",
"FromPort": "3306",
"ToPort": "3306",
"CIDR": "10.0.0.0/16"
},
{
"Direction": "inbound",
"IPProtocol": "ICMP",
"FromPort": "-1",
"ToPort": "-1",
"CIDR": "0.0.0.0/0"
}
]
}
}' | jq
μλ΅ μμ:
{
"IId": {
"NameId": "sg-web",
"SystemId": "sg-0a1b2c3d4e5f67890"
},
"VpcIID": {
"NameId": "vpc-01",
"SystemId": "vpc-1a2b3c4d"
},
"SecurityRules": [
{
"Direction": "inbound",
"IPProtocol": "TCP",
"FromPort": "22",
"ToPort": "22",
"CIDR": "0.0.0.0/0"
},
{
"Direction": "inbound",
"IPProtocol": "TCP",
"FromPort": "80",
"ToPort": "80",
"CIDR": "0.0.0.0/0"
},
{
"Direction": "inbound",
"IPProtocol": "TCP",
"FromPort": "443",
"ToPort": "443",
"CIDR": "0.0.0.0/0"
},
{
"Direction": "inbound",
"IPProtocol": "TCP",
"FromPort": "3306",
"ToPort": "3306",
"CIDR": "10.0.0.0/16"
},
{
"Direction": "inbound",
"IPProtocol": "ICMP",
"FromPort": "-1",
"ToPort": "-1",
"CIDR": "0.0.0.0/0"
},
{
"Direction": "outbound",
"IPProtocol": "ALL",
"FromPort": "-1",
"ToPort": "-1",
"CIDR": "0.0.0.0/0"
}
]
}
3.6 Security Rules μμ μμ
curl -sX 'DELETE' 'http://localhost:1024/spider/securitygroup/sg-web/rules' \
-H 'Content-Type: application/json' \
-d '{
"ConnectionName": "aws-config01",
"ReqInfo": {
"RuleInfoList": [
{
"Direction": "inbound",
"IPProtocol": "TCP",
"FromPort": "3306",
"ToPort": "3306",
"CIDR": "10.0.0.0/16"
}
]
}
}' | jq
μλ΅ μμ:
{
"Result": "true"
}
3.7 Security Group μμ μμ
curl -sX 'DELETE' 'http://localhost:1024/spider/securitygroup/sg-web' \
-H 'Content-Type: application/json' \
-d '{
"ConnectionName": "aws-config01"
}' | jq
μλ΅ μμ:
{
"Result": "true"
}
3.8 κ°μ μμ (force) μμ
- VM λ±μ΄ μ°κ²°λ Security Groupμ κ°μ μμ ν κ²½μ°
force=trueμ΅μ μ μ¬μ©νλ€.
curl -sX 'DELETE' 'http://localhost:1024/spider/securitygroup/sg-web?force=true' \
-H 'Content-Type: application/json' \
-d '{
"ConnectionName": "aws-config01"
}' | jq
4. CB-Spider Security Group AdminWeb μ 곡 μμ
-
λ€μ μμλ‘ λμ CSP μ ν λ° Security Group μ 보λ₯Ό κ΄λ¦¬νλ€.
- Connection μ ν: AdminWeb μλ¨μμ λμ CSP Connection μ ν
- Security Group λ©λ΄ μ κ·Ό: μ’μΈ‘ λ©λ΄μμ "Security Group" μ ν
- Security Group μμ±: "Create SecurityGroup" λ²νΌ ν΄λ¦ ν νμν μ 보 μ λ ₯
- Security Rules κ΄λ¦¬: Security Group μμΈ νλ©΄μμ Rules μΆκ°/μμ κ°λ₯
4.1 Security Group λͺ©λ‘ νλ©΄ μμ
AdminWebμμ Security Group λͺ©λ‘μ μ‘°ννλ©΄ λ€μκ³Ό κ°μ μ λ³΄κ° νμλλ€:
- Security Group Name
- Security Group SystemId (CSP ID)
- VPC Name
- Rules κ°μ
- μμ± μκ°
- μμ λ²νΌ (μμΈλ³΄κΈ°, μμ λ±)
4.2 Security Group μμ± νλ©΄ μμ
AdminWebμμ Security Group μμ± μ λ€μ μ 보λ₯Ό μ λ ₯νλ€:
- Security Group Name: CB-Spiderμμ κ΄λ¦¬ν Security Group μ΄λ¦
- VPC Name: Security Groupμ΄ μμλ VPC
- Security Rules (1κ° μ΄μ κΆμ₯):
- Direction (inbound/outbound)
- Protocol (ALL/TCP/UDP/ICMP)
- Port Range (FromPort ~ ToPort)
- CIDR (IP μ£Όμ λ²μ)
- Tags (μ ν)
4.3 Security Group μμΈ νλ©΄ μμ
Security Group μμΈ νλ©΄μμλ λ€μ μ 보μ μμ μ΄ κ°λ₯νλ€:
κΈ°λ³Έ μ 보:
- Security Group IId (NameId, SystemId)
- VPC IId (NameId, SystemId)
- KeyValueList (CSP μΆκ° μ 보)
Security Rules κ΄λ¦¬:
- Security Rules λͺ©λ‘ νμ
- Add Rules λ²νΌ: μ Rule μΆκ°
- Remove Rules λ²νΌ: κ°λ³ Rule μμ
- Rule μμΈ μ 보 보기 (Direction, Protocol, Port, CIDR)
μμ λ²νΌ:
- Delete SecurityGroup: Security Group μμ
- Refresh: μ 보 κ°±μ
5. μ£Όμ μ¬μ© μλ리μ€
5.1 μΉ μλ²μ© Security Group ꡬμ±
- Security Group μμ± (Create SecurityGroup)
- Inbound Rules μΆκ°:
- SSH: TCP 22 from κ΄λ¦¬μ IP
- HTTP: TCP 80 from 0.0.0.0/0
- HTTPS: TCP 443 from 0.0.0.0/0
- Outbound Rules: ALL -1 to 0.0.0.0/0 (κΈ°λ³Έ)
- VM μμ± μ ν΄λΉ Security Group μ§μ
5.2 λ°μ΄ν°λ² μ΄μ€ μλ²μ© Security Group ꡬμ±
- Security Group μμ±
- Inbound Rules μΆκ°:
- MySQL: TCP 3306 from μ ν리μΌμ΄μ μλ² CIDR (μ: 10.0.1.0/24)
- SSH: TCP 22 from κ΄λ¦¬μ IP
- Outbound Rules: νμ μ μ νμ μΌλ‘ μ€μ
- DB μλ² VMμ ν΄λΉ Security Group μ μ©
5.3 κΈ°μ‘΄ CSP Security Group μ°λ
- CSPμ μ΄λ―Έ μ‘΄μ¬νλ Security Groupμ μ 보 νμΈ (SystemId)
- Register SecurityGroup APIλ₯Ό ν΅ν΄ CB-Spiderμ λ±λ‘
- CB-Spiderμμ ν΄λΉ Security Group κ΄λ¦¬ λ° Rules μΆκ°/μμ κ°λ₯
5.4 Multi-Tier μν€ν μ² κ΅¬μ±
-
Web Tier Security Group:
- Inbound: TCP 80, 443 from Internet
- Outbound: TCP 3000 to App Tier CIDR
-
App Tier Security Group:
- Inbound: TCP 3000 from Web Tier CIDR
- Outbound: TCP 3306 to DB Tier CIDR
-
DB Tier Security Group:
- Inbound: TCP 3306 from App Tier CIDR
- Outbound: μ΅μ κΆν
6. μ£Όμμ¬ν λ° μ μ½μ¬ν
6.1 Security Rules μ€μ μ£Όμμ¬ν
- CIDR μ€μ :
0.0.0.0/0μ λͺ¨λ IPλ₯Ό νμ©νλ―λ‘ λ³΄μμ μ£Όμ νμ - ν¬νΈ λ²μ: FromPort β€ ToPort κ΄κ³ μ μ§ νμ
- νλ‘ν μ½λ³ ν¬νΈ μ€μ :
- TCP/UDP: 1~65535 λ²μ μ¬μ©
- ICMP/ALL: -1 μ¬μ© (ν¬νΈ κ°λ μμ)
- μ€λ³΅ κ·μΉ: λμΌν κ·μΉ μ€λ³΅ μΆκ° μ CSPλ³λ‘ λμμ΄ λ€λ₯Ό μ μμ
6.2 Security Group μμ
- VMμ΄ μ°κ²°λ Security Groupμ μμ λΆκ°
- κ°μ μμ (force=true) μ μ°κ²°λ VMμ Security Group μ€μ μ΄ λ³κ²½λ μ μμ (μ£Όμ!)
- Default Security Groupμ μμ λΆκ° (CSP μ μ± )
6.3 Security Rules λ³κ²½ ν¨κ³Ό μκ°
- AddRules()/RemoveRules() νΈμΆ ν μ€μ ν¨κ³Όκ° λνλλ μκ°:
- μΌλ°μ : 7~10μ΄
- Azure: 60~80μ΄ (κΈ΄ λκΈ° μκ° νμ)
- κ·μΉ λ³κ²½ ν μ¦μ ν μ€νΈνλ©΄ μ΄μ κ·μΉμ΄ μ μ©λ μ μμΌλ―λ‘ μΆ©λΆν λκΈ° νμ
6.4 νλ‘ν μ½ λ° ν¬νΈ κ΄λ ¨
- ALL νλ‘ν μ½: λͺ¨λ νΈλν½μ μλ―Ένλ©°, ν¬νΈλ -1λ‘ μ€μ
- ICMP νλ‘ν μ½: λ€νΈμν¬ κ³μΈ΅ νλ‘ν μ½λ‘ ν¬νΈ κ°λ μ΄ μμ, -1λ‘ μ€μ