Back to Details

network-security-groups

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Network Security Groups

网络安全组

Overview

概述

Implement network security groups and firewall rules to enforce least privilege access, segment networks, and protect infrastructure from unauthorized access.
实施网络安全组和防火墙规则,以执行最小权限访问、分段网络并保护基础设施免受未授权访问。

When to Use

适用场景

  • Inbound traffic control
  • Outbound traffic filtering
  • Network segmentation
  • Zero-trust networking
  • DDoS mitigation
  • Database access restriction
  • VPN access control
  • Multi-tier application security
  • 入站流量控制
  • 出站流量过滤
  • 网络分段
  • 零信任网络
  • DDoS缓解
  • 数据库访问限制
  • VPN访问控制
  • 多层应用安全

Implementation Examples

实施示例

1. AWS Security Groups

1. AWS安全组

yaml
undefined
yaml
undefined

aws-security-groups.yaml

aws-security-groups.yaml

Resources:

VPC Security Group

VPCSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: VPC security group VpcId: vpc-12345678 SecurityGroupIngress: # Allow HTTP from anywhere - IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: 0.0.0.0/0 Description: "HTTP from anywhere"
    # Allow HTTPS from anywhere
    - IpProtocol: tcp
      FromPort: 443
      ToPort: 443
      CidrIp: 0.0.0.0/0
      Description: "HTTPS from anywhere"

    # Allow SSH from admin network only
    - IpProtocol: tcp
      FromPort: 22
      ToPort: 22
      CidrIp: 10.0.0.0/8
      Description: "SSH from admin network"

  SecurityGroupEgress:
    # Allow all outbound
    - IpProtocol: -1
      CidrIp: 0.0.0.0/0
      Description: "All outbound traffic"

  Tags:
    - Key: Name
      Value: vpc-security-group

Database Security Group

DatabaseSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Database security group VpcId: vpc-12345678 SecurityGroupIngress: # Allow PostgreSQL from app tier only - IpProtocol: tcp FromPort: 5432 ToPort: 5432 SourceSecurityGroupId: !Ref AppSecurityGroup Description: "PostgreSQL from app tier"
  SecurityGroupEgress:
    - IpProtocol: -1
      CidrIp: 0.0.0.0/0

  Tags:
    - Key: Name
      Value: database-security-group

Application Tier Security Group

AppSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Application tier security group VpcId: vpc-12345678 SecurityGroupIngress: # Allow traffic from load balancer - IpProtocol: tcp FromPort: 8080 ToPort: 8080 SourceSecurityGroupId: !Ref LBSecurityGroup Description: "App traffic from LB"
  SecurityGroupEgress:
    # Allow to databases
    - IpProtocol: tcp
      FromPort: 5432
      ToPort: 5432
      DestinationSecurityGroupId: !Ref DatabaseSecurityGroup
      Description: "Database access"

    # Allow to external APIs
    - IpProtocol: tcp
      FromPort: 443
      ToPort: 443
      CidrIp: 0.0.0.0/0
      Description: "HTTPS external APIs"

  Tags:
    - Key: Name
      Value: app-security-group

Load Balancer Security Group

LBSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Load balancer security group VpcId: vpc-12345678 SecurityGroupIngress: - IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: 0.0.0.0/0 - IpProtocol: tcp FromPort: 443 ToPort: 443 CidrIp: 0.0.0.0/0
  SecurityGroupEgress:
    - IpProtocol: tcp
      FromPort: 8080
      ToPort: 8080
      DestinationSecurityGroupId: !Ref AppSecurityGroup

  Tags:
    - Key: Name
      Value: lb-security-group
undefined
Resources:

VPC Security Group

VPCSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: VPC security group VpcId: vpc-12345678 SecurityGroupIngress: # Allow HTTP from anywhere - IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: 0.0.0.0/0 Description: "HTTP from anywhere"
    # Allow HTTPS from anywhere
    - IpProtocol: tcp
      FromPort: 443
      ToPort: 443
      CidrIp: 0.0.0.0/0
      Description: "HTTPS from anywhere"

    # Allow SSH from admin network only
    - IpProtocol: tcp
      FromPort: 22
      ToPort: 22
      CidrIp: 10.0.0.0/8
      Description: "SSH from admin network"

  SecurityGroupEgress:
    # Allow all outbound
    - IpProtocol: -1
      CidrIp: 0.0.0.0/0
      Description: "All outbound traffic"

  Tags:
    - Key: Name
      Value: vpc-security-group

Database Security Group

DatabaseSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Database security group VpcId: vpc-12345678 SecurityGroupIngress: # Allow PostgreSQL from app tier only - IpProtocol: tcp FromPort: 5432 ToPort: 5432 SourceSecurityGroupId: !Ref AppSecurityGroup Description: "PostgreSQL from app tier"
  SecurityGroupEgress:
    - IpProtocol: -1
      CidrIp: 0.0.0.0/0

  Tags:
    - Key: Name
      Value: database-security-group

Application Tier Security Group

AppSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Application tier security group VpcId: vpc-12345678 SecurityGroupIngress: # Allow traffic from load balancer - IpProtocol: tcp FromPort: 8080 ToPort: 8080 SourceSecurityGroupId: !Ref LBSecurityGroup Description: "App traffic from LB"
  SecurityGroupEgress:
    # Allow to databases
    - IpProtocol: tcp
      FromPort: 5432
      ToPort: 5432
      DestinationSecurityGroupId: !Ref DatabaseSecurityGroup
      Description: "Database access"

    # Allow to external APIs
    - IpProtocol: tcp
      FromPort: 443
      ToPort: 443
      CidrIp: 0.0.0.0/0
      Description: "HTTPS external APIs"

  Tags:
    - Key: Name
      Value: app-security-group

Load Balancer Security Group

LBSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Load balancer security group VpcId: vpc-12345678 SecurityGroupIngress: - IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: 0.0.0.0/0 - IpProtocol: tcp FromPort: 443 ToPort: 443 CidrIp: 0.0.0.0/0
  SecurityGroupEgress:
    - IpProtocol: tcp
      FromPort: 8080
      ToPort: 8080
      DestinationSecurityGroupId: !Ref AppSecurityGroup

  Tags:
    - Key: Name
      Value: lb-security-group
undefined

2. Kubernetes Network Policies

2. Kubernetes网络策略

yaml
undefined
yaml
undefined

kubernetes-network-policies.yaml

kubernetes-network-policies.yaml

apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-all-ingress namespace: production spec: podSelector: {} policyTypes: - Ingress
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-frontend namespace: production spec: podSelector: matchLabels: app: frontend policyTypes: - Ingress ingress: - from: - namespaceSelector: matchLabels: name: ingress-nginx ports: - protocol: TCP port: 8080
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-backend-to-database namespace: production spec: podSelector: matchLabels: tier: database policyTypes: - Ingress ingress: - from: - podSelector: matchLabels: tier: backend ports: - protocol: TCP port: 5432
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-backend-to-cache namespace: production spec: podSelector: matchLabels: tier: cache policyTypes: - Ingress ingress: - from: - podSelector: matchLabels: tier: backend ports: - protocol: TCP port: 6379
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-all-ingress namespace: production spec: podSelector: {} policyTypes: - Ingress
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-frontend namespace: production spec: podSelector: matchLabels: app: frontend policyTypes: - Ingress ingress: - from: - namespaceSelector: matchLabels: name: ingress-nginx ports: - protocol: TCP port: 8080
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-backend-to-database namespace: production spec: podSelector: matchLabels: tier: database policyTypes: - Ingress ingress: - from: - podSelector: matchLabels: tier: backend ports: - protocol: TCP port: 5432
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-backend-to-cache namespace: production spec: podSelector: matchLabels: tier: cache policyTypes: - Ingress ingress: - from: - podSelector: matchLabels: tier: backend ports: - protocol: TCP port: 6379

Egress policy

Egress policy

apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: backend-egress namespace: production spec: podSelector: matchLabels: tier: backend policyTypes: - Egress egress: # Allow to database - to: - podSelector: matchLabels: tier: database ports: - protocol: TCP port: 5432
# Allow to cache
- to:
    - podSelector:
        matchLabels:
          tier: cache
  ports:
    - protocol: TCP
      port: 6379

# Allow DNS
- to:
    - namespaceSelector: {}
      podSelector:
        matchLabels:
          k8s-app: kube-dns
  ports:
    - protocol: UDP
      port: 53

# Allow external APIs
- to:
    - namespaceSelector: {}
  ports:
    - protocol: TCP
      port: 443
undefined
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: backend-egress namespace: production spec: podSelector: matchLabels: tier: backend policyTypes: - Egress egress: # Allow to database - to: - podSelector: matchLabels: tier: database ports: - protocol: TCP port: 5432
# Allow to cache
- to:
    - podSelector:
        matchLabels:
          tier: cache
  ports:
    - protocol: TCP
      port: 6379

# Allow DNS
- to:
    - namespaceSelector: {}
      podSelector:
        matchLabels:
          k8s-app: kube-dns
  ports:
    - protocol: UDP
      port: 53

# Allow external APIs
- to:
    - namespaceSelector: {}
  ports:
    - protocol: TCP
      port: 443
undefined

3. GCP Firewall Rules

3. GCP防火墙规则

yaml
undefined
yaml
undefined

gcp-firewall-rules.yaml

gcp-firewall-rules.yaml

apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeFirewall metadata: name: allow-http-https spec: network: name: default direction: INGRESS priority: 1000 sourceRanges: - 0.0.0.0/0 allowed: - IPProtocol: tcp ports: - "80" - "443" targetTags: - http-server - https-server
apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeFirewall metadata: name: allow-ssh-internal spec: network: name: default direction: INGRESS priority: 1000 sourceRanges: - 10.0.0.0/8 allowed: - IPProtocol: tcp ports: - "22" targetTags: - allow-ssh
apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeFirewall metadata: name: deny-all-ingress spec: network: name: default direction: INGRESS priority: 65534 denied: - IPProtocol: all
undefined
apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeFirewall metadata: name: allow-http-https spec: network: name: default direction: INGRESS priority: 1000 sourceRanges: - 0.0.0.0/0 allowed: - IPProtocol: tcp ports: - "80" - "443" targetTags: - http-server - https-server
apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeFirewall metadata: name: allow-ssh-internal spec: network: name: default direction: INGRESS priority: 1000 sourceRanges: - 10.0.0.0/8 allowed: - IPProtocol: tcp ports: - "22" targetTags: - allow-ssh
apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeFirewall metadata: name: deny-all-ingress spec: network: name: default direction: INGRESS priority: 65534 denied: - IPProtocol: all
undefined

4. Security Group Management Script

4. 安全组管理脚本

bash
#!/bin/bash
bash
#!/bin/bash

manage-security-groups.sh - Security group management utility

manage-security-groups.sh - Security group management utility

set -euo pipefail
ACTION="${1:-list}" REGION="${2:-us-east-1}"
set -euo pipefail
ACTION="${1:-list}" REGION="${2:-us-east-1}"

List security groups

List security groups

list_security_groups() { echo "Security Groups in $REGION:" aws ec2 describe-security-groups
--region "$REGION"
--query 'SecurityGroups[*].[GroupId,GroupName,VpcId]'
--output table }
list_security_groups() { echo "Security Groups in $REGION:" aws ec2 describe-security-groups
--region "$REGION"
--query 'SecurityGroups[*].[GroupId,GroupName,VpcId]'
--output table }

Show security group details

Show security group details

show_security_group() { local sg_id="$1" echo "Inbound Rules for $sg_id:" aws ec2 describe-security-groups
--group-ids "$sg_id"
--region "$REGION"
--query 'SecurityGroups[0].IpPermissions'
--output table
echo -e "\nOutbound Rules for $sg_id:"
aws ec2 describe-security-groups \
    --group-ids "$sg_id" \
    --region "$REGION" \
    --query 'SecurityGroups[0].IpPermissionsEgress' \
    --output table
}
show_security_group() { local sg_id="$1" echo "Inbound Rules for $sg_id:" aws ec2 describe-security-groups
--group-ids "$sg_id"
--region "$REGION"
--query 'SecurityGroups[0].IpPermissions'
--output table
echo -e "\nOutbound Rules for $sg_id:"
aws ec2 describe-security-groups \
    --group-ids "$sg_id" \
    --region "$REGION" \
    --query 'SecurityGroups[0].IpPermissionsEgress' \
    --output table
}

Add inbound rule

Add inbound rule

add_inbound_rule() { local sg_id="$1" local protocol="$2" local port="$3" local cidr="$4" local description="${5:-}"
aws ec2 authorize-security-group-ingress \
    --group-id "$sg_id" \
    --protocol "$protocol" \
    --port "$port" \
    --cidr "$cidr" \
    --region "$REGION" \
    ${description:+--description "$description"}

echo "Rule added to $sg_id"
}
add_inbound_rule() { local sg_id="$1" local protocol="$2" local port="$3" local cidr="$4" local description="${5:-}"
aws ec2 authorize-security-group-ingress \
    --group-id "$sg_id" \
    --protocol "$protocol" \
    --port "$port" \
    --cidr "$cidr" \
    --region "$REGION" \
    ${description:+--description "$description"}

echo "Rule added to $sg_id"
}

Audit security groups for overly permissive rules

Audit security groups for overly permissive rules

audit_security_groups() { echo "Auditing security groups for overly permissive rules..."
aws ec2 describe-security-groups \
    --region "$REGION" \
    --query 'SecurityGroups[*].[GroupId,IpPermissions]' \
    --output text | while read sg_id; do

    # Check for 0.0.0.0/0 on sensitive ports
    if aws ec2 describe-security-groups \
        --group-ids "$sg_id" \
        --region "$REGION" \
        --query "SecurityGroups[0].IpPermissions[?FromPort==\`22\` || FromPort==\`3306\` || FromPort==\`5432\`]" \
        --output json | grep -q "0.0.0.0/0"; then
        echo "WARNING: $sg_id has sensitive ports open to 0.0.0.0/0"
    fi
done
}
audit_security_groups() { echo "Auditing security groups for overly permissive rules..."
aws ec2 describe-security-groups \
    --region "$REGION" \
    --query 'SecurityGroups[*].[GroupId,IpPermissions]' \
    --output text | while read sg_id; do

    # Check for 0.0.0.0/0 on sensitive ports
    if aws ec2 describe-security-groups \
        --group-ids "$sg_id" \
        --region "$REGION" \
        --query "SecurityGroups[0].IpPermissions[?FromPort==\`22\` || FromPort==\`3306\` || FromPort==\`5432\`]" \
        --output json | grep -q "0.0.0.0/0"; then
        echo "WARNING: $sg_id has sensitive ports open to 0.0.0.0/0"
    fi
done
}

Main

Main

case "$ACTION" in list) list_security_groups ;; show) show_security_group "$3" ;; add-rule) add_inbound_rule "$3" "$4" "$5" "$6" "${7:-}" ;; audit) audit_security_groups ;; *) echo "Usage: $0 {list|show|add-rule|audit} [args]" exit 1 ;; esac
undefined
case "$ACTION" in list) list_security_groups ;; show) show_security_group "$3" ;; add-rule) add_inbound_rule "$3" "$4" "$5" "$6" "${7:-}" ;; audit) audit_security_groups ;; *) echo "Usage: $0 {list|show|add-rule|audit} [args]" exit 1 ;; esac
undefined

Best Practices

最佳实践

✅ DO

✅ 建议

  • Implement least privilege access
  • Use security groups for segmentation
  • Document rule purposes
  • Regularly audit rules
  • Separate inbound and outbound rules
  • Use security group references
  • Monitor rule changes
  • Test access before enabling
  • 实施最小权限访问
  • 使用安全组进行网络分段
  • 记录规则用途
  • 定期审计规则
  • 分离入站和出站规则
  • 使用安全组引用
  • 监控规则变更
  • 启用前测试访问权限

❌ DON'T

❌ 不建议

  • Allow 0.0.0.0/0 for databases
  • Open all ports unnecessarily
  • Mix environments in single SG
  • Ignore egress rules
  • Allow all protocols
  • Forget to document rules
  • Use single catch-all rule
  • Deploy without firewall
  • 允许数据库的0.0.0.0/0访问
  • 不必要地开放所有端口
  • 在单个安全组中混合不同环境
  • 忽略出站规则
  • 允许所有协议
  • 忘记记录规则
  • 使用单一的全能规则
  • 不部署防火墙

Common Rules

常见规则

PortProtocolPurpose
22TCPSSH (Admin only)
80TCPHTTP (Public)
443TCPHTTPS (Public)
3306TCPMySQL (App tier only)
5432TCPPostgreSQL (App tier only)
6379TCPRedis (App tier only)
端口协议用途
22TCPSSH(仅管理员)
80TCPHTTP(公开)
443TCPHTTPS(公开)
3306TCPMySQL(仅应用层)
5432TCPPostgreSQL(仅应用层)
6379TCPRedis(仅应用层)

Resources

参考资源