文档中心API Explorer
ZHEN
文档中心ZVFZStack ZSphere用户手册ZVF

Network Management

This chapter mainly introduces how to use network virtualization resources and services, including distributed switches, distributed port groups, and security groups. This section covers the following topics on how to use network resources and services:

Network Resource

Distributed Switch

Through distributed switches, you can set up and configure network connections in the ZStack ZSphere environment.

After the first host is added to the cluster, ZStack ZSphere automatically creates a default distributed switch, a default distributed port group, and a default Kernel adapter based on the host's related configuration. These are used for centralized management of the host's management network. Based on your network planning, you can flexibly reuse the default distributed switch or use a newly created distributed switch.

Create a Distributed Switch

Procedure

  1. In the navigation pane, choose Inventory > Network Resource.
  2. In the resource tree, right-click a target data center and select New Distributed Switch.
  3. In the New Distributed Switch dialog:
    1. Complete the basic information configuration.
      • Name: Enter a name for the distributed switch.
      • Description: Enter a brief description for the distributed switch.
      • Data Center: Displays the data center where the distributed switch resides.
      • Cluster: Select the target cluster for the distributed switch (virtualization cluster or bare metal cluster).
    2. Complete the network configuration.
      This step only appears when you select a virtualization cluster.
      • Addition Method: Supports individual addition, batch aggregation, and specifying same network interface.
        When selecting individual addition or batch aggregation, configure these parameters:
        • Uplink Name: Set a name for aggregated host physical ports connecting to physical switches.
          Note:
          • By default, naming follows the format "Uplink + suffix," with the suffix automatically incrementing as "1/2/3/..." to distinguish between resources. When the number of uplinks is 10 or more, the default naming format changes to "Up + suffix".
          • Custom uplink name must be within 1 to 10 characters and can only include English letters, numbers, and the special characters "-" and "_". The name cannot start with a number.
        • Bond Mode: Select a bonding mode for physical ports.
          • LACP (mode 4): Bonded ports share the same speed and duplex settings. Network traffic is evenly distributed across all ports for load balancing. This mode supports 1 to 8 physical ports. We recommend bonding at least 2 ports.
          • Active-Backup (mode 1): Bonded ports work in active-backup mode. Normally, the active port handles all traffic. If active port fails, the backup port takes over automatically. This mode supports 1 to 8 physical ports. We recommend bonding 2 ports.
        • Hash Policy: When selecting LACP mode, you can configure the hash policy to determine network traffic egress.
          • layer 2+3: Picks out a NIC port to send data packets based on the hash computation on the source MAC address, destination MAC address, and IP address.
          • layer 3+4: Picks out a NIC port to send data packets based on the hash computation on the IP address and port. TCP/IP stacks are supported.
          • layer 2: Picks out a NIC port to send data packets based on the hash computation on the source MAC address and destination MAC address.
        • Host NIC: Select host ports to be bonded.
          • When creating host bonded ports individually, all selected ports on the same host must have the same speed.
          • When creating host bonded ports in bulk, you can only select ports with identical speeds.
        When selecting specifying same network interface, configure these parameters:
        • Network Interface Type: Select the interface type, including Aggregated Interface and Non-Aggregated Interface.
        • Bond: Select ports to all hosts in the cluster that have matching ports.
    3. Complete the distributed port group configuration.
      By default, the New Distributed Port Group checkbox is selected. You can choose whether to create a distributed port group on this distributed switch.
      • Name: Enter a name for the distributed port group.
      • VLAN Type: Select a VLAN type. When selecting Standard VLAN, you need to specify a VLAN ID.
      • DHCP Service: Choose whether to enable the automatic IP address assignment for platform resources.
      • IP Address Management: Choose whether to enable the IP address management. When enabled, you can add network ranges to this distributed port group. IP addresses in these ranges can be allocated via DHCP service (when enabled) to resources in the network.
        • IP Address Type: Supports IPv4 and IPv6.
          When selecting IPv4, configure the following parameters:
          • IP Allocation Policy: After enabling the DHCP service, you can select one of the following policies to assign IP addresses.
            • Random Allocation: The system randomly assigns IP addresses from the network range.
            • Allocate in Order: The system assigns all available IP addresses from the network range in ascending order. Released IP addresses are assigned in the next allocation.

              Example: Assume that the network range is 192.168.0.101192.168.0.120, within which 192.168.0.101192.168.0.108 are allocated. If 192.168.0.106 is released, it will be assigned first in the next allocation.

            • Allocate in Cycle: The system assigns available IP addresses from the network range in ascending order. Released IP addresses are assigned when currently available IP addresses are used up.

              Example: Assume that the network range is 192.168.0.101192.168.0.120, within which 192.168.0.101192.168.0.108 are allocated. If 192.168.0.106 is released, it will be assigned after 192.168.0.120 is used.

          • Network Range Method: Supports IP range and CIDR.
            • For IP range, enter start IP, end IP, netmask, and gateway.
              Note: Do not include gateway, broadcast address, or network addresses in the IP range.
            • For CIDR, enter CIDR Block and gateway. You can enter the first or last CIDR address for gateway. If left blank, the fist CIDR address will be used.
          When selecting IPv6, configure the following parameters:
          • Network Range Method: Supports IP range and CIDR.
            • For IP range, enter start IP, end IP, prefix length, and gateway.
            • For CIDR, enter CIDR Block.
          • IP Configuration Mode: Select IPv6 address allocation method.
            • Stateful-DHCP (Default): The interface address and other parameters are all configured through DHCP. The IP range method supports stateful DHCP.
            • Stateless-DHCP: The interface address is automatically derived from the route advertisement prefix and the interface Mac address. Other parameters are configured through DHCP.
            • SLAAC: The interface address is automatically derived from the prefix of the route advertisement that also contains other parameters.
      • DHCP IP: Specify an IP address used by the DHCP service.
      • DNS: Specify a DNS to provide DNS resolution service for the distributed port group.
  4. Review the configuration and click OK.
    Note:
    • When adding either a single NIC or a bonded NIC to the distributed switch, the bridge names created by distributed port groups will all start with br_dvs.
    • If the management network address was originally configured on a physical NIC or sub-interface before adding the host, it will be moved to the br_dvs{ID}_{VLAN ID} bridge after addition. When removing the host, the management address will revert back to the physical NIC or sub-interface.
    • If the management network address was already on a br bridge (for example, a user-defined br_{name}_{VLAN ID}) before adding the host, the bridge name will remain unchanged. In scenarios where management and business networks share NICs, when the new distributed port group's VLAN differs from the management network VLAN, the created bridge will still follow the br_dvs{ID}_{VLAN ID} naming convention, but this will not affect the NIC hosting the management address.

Distributed Switch Uplink

Modify Uplink Configurations

Procedure

  1. In the navigation pane, choose Inventory > Network Resource.
  2. In the resource tree, select a target distributed switch.
  3. On the target distributed switch's details page, click the Uplink tab.
  4. Click Modify Configuration.
  5. In the Modify Uplink Mode dialog, modify the bond mode and hash policy as needed.
    Note:
    • You can modify the bond mode when there are joined hosts, but only if the default distributed switch uses a single NIC.
    • When no hosts are joined, you can only modify the bond mode of a default distributed switch.
  6. Click OK.

Manage Joined Hosts

Procedure

  1. In the navigation pane, choose Inventory > Network Resource.
  2. In the resource tree, select a target distributed switch.
  3. On the target distributed switch's details page, click the Uplink tab.
  4. In the Joined Host list, select a target host.
    1. (Optional) To add new ports to this bond, click Actions > Add Physical Network Interface.
      Note:
      1. You can only add ports that are not currently bonded.
      2. New ports must have the same speed as existing ports in the bond.
      3. A bond supports a maximum of 8 physical ports.
    2. (Optional) To remove physical ports from the bond, click Actions > Remove Physical Network Interface.
      Note: You must keep at least 1 physical port.
    3. (Optional) To remove the host's entire uplink, click Actions > Disconnect Host Uplink.
      Note:
      1. Disconnecting host uplink will delete all bonds on this host. Proceed with caution.
      2. This action will also detach all VM NICs on this host. Proceed with caution.
      3. The default distributed switch does not support disconnecting host uplink.

Configure Uplinks for Hosts

Procedure

  1. In the navigation pane, choose Inventory > Network Resource.
  2. In the resource tree, select a target distributed switch.
  3. On the target distributed switch's details page, click the Uplink tab.
  4. In the Unjoined Host list, select a target host.
    1. (Optional) If the new host's bond configuration matches the distributed switch's uplink configuration associated with its cluster, the host will automatically join the uplink.
    2. (Optional) If the configuration does not match, click Actions > Join Uplink.
      After joining, the host's bond configuration will adjust to match the switch's uplink configuration.

Network Topology

View Network Topology

Procedure

  1. In the navigation pane, choose Inventory > Network Resource.
  2. In the resource tree, select a target distributed switch.
  3. On the target distributed switch's details page, click the Network Topology tab.
  4. View the network topology.
    The network topology displays the network relationship structure centered around the distributed switch, showing its associations with clusters, hosts, distributed port groups, and virtual machines.

Supported Network Topology Operations

The following table lists the actions that you can perform on the network topology.
Operation Description
Refresh Displays the current latest network topology.
Zoom In / Zoom Out Zooms in or out to view the network topology.
Default Position Returns to the origin of the topology canvas.
Export Exports the network topology as a PNG image.
Hide / Show Virtual Machines Hides or shows virtual machines in the network topology.
Full Screen Views the network topology in full screen.
Highlight Display Selects a resource and highlights the resource and its associated resources.
Hover Display Displays relevant information about a resource when the mouse hovers over it, with support for navigating to the resource details.
Search Searches for topology resources by resource name or UUID.

Attach/Detach a Distributed Switch to/from a Cluster

Before you begin

The default distributed switch only supports attaching/detaching bare metal clusters.

Procedure

  1. In the navigation pane, choose Inventory > Network Resource.
  2. In the resource tree, select a target distributed switch.
  3. On the target distributed switch's details page, click the Cluster tab.
  4. (Optional) To provide network for more clusters and hosts in the data center, click Attach Cluster.
    1. In the Attach Cluster dialog, select a target cluster, bond configuration, and host NIC.
      When attaching a cluster, you cannot specify bond mode. The bond mode inherits the distributed switch's configuration directly.
    2. Click OK.
  5. (Optional) To detach clusters, click Detach Cluster.
    1. In the Detach Cluster dialog, select target clusters.
    2. Click OK.
    Note: After detaching a cluster, the corresponding VM NICs will be removed. Proceed with caution.

Delete a Distributed Switch

Before you begin

  • You cannot delete the default distributed switch while it still has joined hosts.
  • You cannot delete a distributed switch if distributed pot groups in the distributed switch are referenced by a VM memory snapshot.
  • You cannot delete a distributed switch if distributed port groups in the distributed switch are associated with Kernel adapters.

Procedure

  1. In the navigation pane, choose Inventory > Network Resource.
  2. In the resource tree, select a target distributed switch.
  3. On the target distributed switch's details page, click Actions > Delete.
    Note: Deleting a distributed switch deletes all its distributed port groups and detaches associated VM NICs. Proceed with caution.

Distributed Port Group

Distributed port groups are used to provide network connections to virtual machines and for Kernel adapter traffic.

After adding the first host to a cluster, ZStack ZSphere automatically creates a default distributed switch, default distributed port group, and default Kernel adapter based on the configuration of this host, for centralized management of the host's management network. Based on your network planning, you can flexibly reuse the default distributed switch to create new distributed port groups, or use custom distributed switches to create new distributed port groups.

You can understand the supported basic operations for distributed port groups from the perspective of adding, deleting, modifying, and querying.

Create a Distributed Port Group

The platform provides multiple entry points for creating distributed port groups. You can create one or more distributed port groups from the following two main entry points:
  • Navigate to Inventory > Network Resource, right-click the target distributed switch, and then select New Distributed Port Group.
  • Navigate to Inventory > Network Resource, select the target distributed switch. Then, on the right side of the platform page, click Actions > New Distributed Port Group, or in the Distributed Port Group subpage, click New Distributed Port Group.
To create a distributed port group, you need to complete the following information configuration:
  • Name: The name of the distributed port group.
  • Description: The description of the distributed port group.
  • Distributed Switch: Select the distributed switch corresponding to the distributed port group.
  • VLAN Type: The VLAN type of the distributed port group, choose either None or Standard VLAN. If you select Standard VLAN, you can configure the VLAN ID for the distributed port group.
  • DHCP Service: A service for automatically assigning IP addresses to internal resources within the platform. It is disabled by default. This service only affects resources within the platform and will not conflict with any existing DHCP servers. If enabled, you need to configure the network segment, IP allocation policy, and DHCP service IP.
    • Network Segment Method: Supports IP range and CIDR as two types of network segments.
      • If you choose IP range, you need to enter the start IP, end IP, subnet mask, and gateway.
        Note: Do not include the gateway, broadcast address, or network address in the added IP range.
      • If you choose CIDR, you need to enter the CIDR block and gateway. The gateway can be the first or last address in the CIDR block. If left blank, the first address in the CIDR block is used as the gateway by default.
    • IP Allocation Policy: Supports random, sequential, and circular allocation policies:
      • Random Allocation: The system randomly assigns IP addresses within the network segment.
      • Sequential Allocation: The system allocates all available IP addresses within the network segment in ascending order. IP addresses released during the process will be prioritized for allocation in the next round.
      • Circular Allocation: The system allocates IP addresses within the network segment in ascending order. IP addresses released during the process will be allocated after all currently available IP addresses have been assigned once.
    • DHCP Service IP: The IP address used by the DHCP service. The DHCP service uses this IP to assign IP addresses to resources using this distributed port group.
      • When creating a distributed port group for the first time or adding the first network segment to the distributed port group, you can customize the DHCP service IP. If a DHCP service IP already exists for the distributed port group, you cannot customize the DHCP service IP when adding a network segment.
      • The DHCP service IP must be within the CIDR of the added IP range and not be in use.
  • DNS: DNS resolution service for the distributed port group.

After clicking OK, the creation is complete.

Edit Distributed Port Group

If you only need to modify the name and description of the distributed port group, you can do so on the target distributed port group page by clicking Actions > Edit Name and Description.

If you need to modify the MTU or IP allocation policy of the distributed port group, you can do so on the target distributed port group page by clicking Actions > Edit Configuration.

If you need to add more IPv4 network segments to or delete IPv4 network segment configurations from the distributed port group, you can do so respectively on the target distributed port group's Network Segments page.
Note:
  • Deleting a network segment will cause the network cards of virtual machines using that segment to be unloaded. Proceed with caution.
  • If the distributed port group already has a DHCP service IP and that IP is within the selected network segment, deleting all network segments under the distributed port group will release the DHCP service IP. Deleting only some network segments will leave the DHCP service IP unchanged.

If you need to add more DNS configurations to or delete DNS configurations from the distributed port group, you can do so respectively on the target distributed port group's DNS page.

View Distributed Port Group

If you want to obtain usage rate data for IP addresses of NICs in a distributed port group over various time periods, you can view this information on the target distributed port group's Monitoring page:
  • This page displays a line chart showing the percentage of used and available IP addresses within the selected time range. The chart updates in real-time, facilitating analysis of network resources.
  • You can select the time range as needed, including: 15 minutes, 1 hour, 6 hours, 1 day, 1 week, 1 month, 1 year, and a custom time range.

Delete a Distributed Port Group

If you have determined that you no longer need an existing distributed port group, you can delete it on the target distributed port group page by clicking Actions > Delete. You can also delete distributed port groups in bulk on the data center resource Network > Network Resource > Distributed Port Group page or on the distributed switch resource Distributed Port Group page.
Note: Deleting a distributed port group will unload the network cards of virtual machines using this port group. Proceed with caution.

Create a Distributed Port Group

Procedure

  1. In the navigation pane, choose Inventory > Network Resource.
  2. In the resource tree, right-click a target distributed switch and select New Distributed Port Group.
  3. In the New Distributed Port Group dialog, set the following parameters:
    • Name: Enter a name for the distributed port group.
    • Description: Enter a brief description for the distributed port group.
    • Distributed Switch: Select a distributed switch for the distributed port group.
    • VLAN Type: Select a VLAN type. When selecting Standard VLAN, you need to specify a VLAN ID.
    • DHCP Service: Choose whether to enable the automatic IP address assignment for platform resources.
    • IP Address Management: Choose whether to enable the IP address management. When enabled, you can add network ranges to this distributed port group. IP addresses in these ranges can be allocated via DHCP service (when enabled) to resources in the network.
      • IP Address Type: Supports IPv4 and IPv6.
        When selecting IPv4, configure the following parameters:
        • IP Allocation Policy: After enabling the DHCP service, you can select one of the following policies to assign IP addresses.
          • Random Allocation: The system randomly assigns IP addresses from the network range.
          • Allocate in Order: The system assigns all available IP addresses from the network range in ascending order. Released IP addresses are assigned in the next allocation.

            Example: Assume that the network range is 192.168.0.101192.168.0.120, within which 192.168.0.101192.168.0.108 are allocated. If 192.168.0.106 is released, it will be assigned first in the next allocation.

          • Allocate in Cycle: The system assigns available IP addresses from the network range in ascending order. Released IP addresses are assigned when currently available IP addresses are used up.

            Example: Assume that the network range is 192.168.0.101192.168.0.120, within which 192.168.0.101192.168.0.108 are allocated. If 192.168.0.106 is released, it will be assigned after 192.168.0.120 is used.

        • Network Range Method: Supports IP range and CIDR.
          • For IP range, enter start IP, end IP, netmask, and gateway.
            Note: Do not include gateway, broadcast address, or network addresses in the IP range.
          • For CIDR, enter CIDR Block and gateway. You can enter the first or last CIDR address for gateway. If left blank, the fist CIDR address will be used.
        When selecting IPv6, configure the following parameters:
        • Network Range Method: Supports IP range and CIDR.
          • For IP range, enter start IP, end IP, prefix length, and gateway.
          • For CIDR, enter CIDR Block.
        • IP Configuration Mode: Select IPv6 address allocation method.
          • Stateful-DHCP (Default): The interface address and other parameters are all configured through DHCP. The IP range method supports stateful DHCP.
          • Stateless-DHCP: The interface address is automatically derived from the route advertisement prefix and the interface Mac address. Other parameters are configured through DHCP.
          • SLAAC: The interface address is automatically derived from the prefix of the route advertisement that also contains other parameters.
    • DHCP IP: Specify an IP address used by the DHCP service.
    • DNS: Specify a DNS to provide DNS resolution service for the distributed port group.
  4. Review the configuration and click OK.

Modify Distributed Port Group Configurations

Procedure

  1. In the navigation pane, choose Inventory > Network Resource.
  2. In the resource tree, select a target distributed port group.
  3. (Optional) To modify basic configurations, click Actions > Modify Configuration.
    1. In the Modify Configuration dialog, modify the name, description, VLAN ID, MTU, DHCP service as needed.
    2. Click OK.
  4. (Optional) To add or delete network ranges, click the Network Range tab and perform the corresponding operations as needed.
    Note:
    • Deleting a network range also detaches the VM NICs that are using the network range.
    • If the distributed port group has a DHCP IP that is in the selected network range, deleting the network range does not delete the DHCP IP. If all network ranges under the distributed port group are deleted, the DHCP IP will be released.
  5. (Optional) To modify the DNS, click the DNS tab and perform the corresponding operations as needed.

Delete a Distributed Port Group

Before you begin

  • You cannot delete the default distributed port group.
  • You cannot delete a distributed port group if it is referenced by a VM memory snapshot.
  • You cannot delete a distributed port group if it is associated with a Kernel adapter.

Procedure

  1. In the navigation pane, choose Inventory > Network Resource.
  2. In the resource tree, select a target distributed port group.
  3. On the distributed port group's details page, click Actions > Delete.
    Note: Deleting a distributed port group detaches the VM NICs that are using this network. Proceed with caution.
  4. After acknowledging the risk, click OK.

Kernel Adapter

The Kernel adapter uses network labels to identify physical network traffic. After successfully adding a host to a cluster, ZStack ZSphere creates a default Kernel adapter for each host, which is used to obtain and display the management network of that host. You can create Kernel adapters for hosts to manage storage network traffics.

Create a Kernel Adapter

Procedure

  1. In the navigation pane, choose Inventory > VM and Host.
  2. In the resource tree, select a target host.
  3. On the details page of the target host, click Kernel Adapter.
  4. On the Kernel Adapter tab, click New Kernel Adapter.
  5. In the New Kernel Adapter dialog, set the following parameters:
    • Name: Enter a name for the Kernel adapter.
    • Description: Enter a brief description for the Kernel adapter.
    • Network Service: Display Storage by default, indicating this Kernel adapter handles storage network traffics.
    • Distributed Port Group: Select a distributed port group.
    • IPv4 Address: Assign an IPv4 address for the Kernel adapter.
    • Netmask: Specify a netmask.
  6. Review the configuration and click OK.

Modify Kernel Adapter Configurations

Procedure

  1. In the navigation pane, choose Inventory > VM and Host.
  2. In the resource tree, select a target host.
  3. On the details page of the target host, click Kernel Adapter.
  4. On the Kernel Adapter tab, choose a Kernel adapter from the list and click Actions > Modify Configuration.
  5. In the Modify Configuration dialog, perform the corresponding modifications as needed.
    • For the default Kernel adapter, you can only modify the name, description, and whether to select Storage network service. When selected, the storage network shares the management network.
    • For other Kernel adapters, you can modify the name, description, IPv4 address, and netmask.
  6. Click OK.

Delete a Kernel Adapter

Procedure

  1. In the navigation pane, choose Inventory > VM and Host.
  2. In the resource tree, select a target host.
  3. On the details page of the target host, click Kernel Adapter.
  4. On the Kernel Adapter tab, choose a Kernel adapter from the list and click Actions > Delete.
    Note:
    • You cannot delete a default Kernel adapter.
    • Deleting Kernel adapters will release the associated IP addresses. Storage services dependent on these IPs will be interrupted. Proceed with caution.
  5. After acknowledging the risks, click OK.

Network Service

ZStack ZSphere provides security group network services to ensure the security of east-west traffic between virtual machines.

Security Group

This section describes how security groups work and how to use them:

Overview

Security Group: A security group provides security control services for VM NICs. It filters the ingress or egress TCP, UDP, and ICMP packets of VM NICs based on the specified security rules.

Functional Framework

Security groups control traffic to and from network interfaces through security rules within the group. A network interface can be part of multiple security groups, and by setting the priority of security groups, traffic is first matched against rules in the higher-priority groups.

A security group can contain multiple security rules. Based on their creation mechanism, these can be divided into system rules and custom rules:
  • System Rules: After creating a new security group, the system provides two default rules:
    • Intra-Group Communication Rule: Network interfaces within the same security group are allowed to communicate with each other by default. This rule has a higher priority than all custom rules and cannot be modified or deleted, only disabled.
    • Intra-/Inter-Group Communication Rule: Network interfaces within the security group are allowed to access interfaces outside the security group by default, but interfaces outside the group are not allowed to access those inside by default. This rule has a lower priority than all custom rules and supports modifying the default intra-group and inter-group access behavior for individual virtual machine network interfaces.
  • Custom Rules: Rules added to the security group by users.
The security group rules consist of direction, target, action, protocol & port, and priority:
  • Rule Direction: Security group rules primarily control the source or destination of traffic. Based on the direction of traffic flow, they can be categorized as inbound rules and outbound rules:
    • Inbound Rule: For traffic entering the network interface from the outside, primarily controlling the source of traffic.
    • Outbound Rule: For traffic sent out from the network interface, primarily controlling the destination of traffic.
  • Rule Target: The target of the security group rule (inbound/outbound rule), including source and destination:
    • Source: Corresponds to the inbound rule, supporting the use of IP addresses/ranges or security groups as sources. Inbound rules allow/reject traffic from the specified IP addresses/ranges or security groups.
    • Destination: Corresponds to the outbound rule, supporting the use of IP addresses/ranges or security groups as destinations. Outbound rules allow/reject traffic from the current group's network interfaces to the target IP addresses/ranges or security groups.
  • Action: The specific action taken for traffic matching the rule conditions, including Allow and Deny:
    • Allow: Allows network request traffic to flow into or out of the network interface.
    • Deny: Does not allow network request traffic to flow into or out of the network interface.

    By default, if traffic entering or leaving the network interface does not match any custom rules, inbound traffic is denied and outbound traffic is allowed.

  • Protocol and Port: The packet protocol and corresponding port targeted by the rule. Protocols include ALL, TCP, UDP, and ICMP:
    • ALL: Indicates coverage of all protocol types, and ports cannot be specified.
    • TCP: Supports ports 1-65535.
    • UDP: Supports ports 1-65535.
    • ICMP: Does not support specifying a port.
  • Priority: The relative precedence of one security group rule over others, with supported values ranging from 1 to 100. Higher numbers indicate lower priority.

Create a Security Group and Related Rules

To use security groups with your virtual machine, you need to create a new security group, add rules to the security group, and bind the security group to the NIC:
  1. Create a Security Group
  2. Add Rules
  3. Associate VM NIC

Create a Security Group

On the ZStack ZSphere platform, select the target data center, then click Network > Security Group, and follow the configuration below to create a new security group:
  • Name: Enter the name for the security group.
  • Description: Provide a description for the security group.

After clicking OK, the new security group will be created.

Add Rules

After creating a new security group, you can add individual or batch inbound and outbound rules to the security group on its Overview page.
Add Individually: Depending on the direction of the rule you wish to add, select the Ingress Rule or Egress Rule tab, and click the Add Rule button. Follow the example below to add the rule:
  • Type: The direction of traffic controlled by the rule, displayed as Ingress or Egress.
  • Priority: The priority of the rule, which automatically increments by 1 for each new rule added. Higher numbers indicate lower priority.
  • IP Address Type: Supports IPv4 address type.
  • Protocol: The communication protocol targeted by the rule, supporting ALL, TCP, UDP, and ICMP.
  • Port: When selecting TCP or UDP, specify the port targeted by the rule:
    • If specifying a range of ports, use the format Start Port-End Port.
    • If specifying multiple ports or ranges, separate them with an English comma “,”. You can specify up to 10 ports or ranges.
  • Source: Required when adding an inbound rule, indicating whether to allow or deny traffic from the specified IP addresses/ranges or security groups:
    • When specifying by IP address/range, you can enter a range using the format Start IP-End IP.
    • When specifying by IP address/range, you can enter CIDR notation. If specifying CIDR along with other types of IP addresses, the CIDR mask must be 24 bits. If specifying only CIDR, there is no limit on the mask.
    • If specifying multiple IP addresses/ranges, separate them with an English comma “,”.
  • Destination: Required when adding an outbound rule, indicating whether to allow or deny traffic from the NICs in this group to the specified IP addresses or security groups:
    • When specifying by IP address/range, you can enter a range using the format Start IP-End IP.
    • When specifying by IP address/range, you can enter CIDR notation. If specifying CIDR along with other types of IP addresses, the CIDR mask must be 24 bits. If specifying only CIDR, there is no limit on the mask.
    • If specifying multiple IP addresses/ranges, separate them with an English comma “,”.
  • State: Whether to enable the rule immediately after creating the security group. By default, the rule is enabled. If set to disabled, the interfaces in the group will not match this rule until you manually enable it.
  • Description: Description of the security group rule.
After clicking OK, the rule will be successfully added.
Batch Add: You can add multiple inbound and outbound rules to a security group by importing rules:
  • Click Actions > Import Rule, upload a CSV file, and click OK. The rules will be imported successfully.
    Note:
    • The imported rules will not affect existing rules. Their priority will default to be placed after existing rules and will be in a disabled state.
    • After import, users can manually adjust the priority and enable these rules.
    • To ensure system compatibility, the imported file must be edited using Microsoft Excel.
  • If you need to reuse the rules of one security group for another security group, you can do the following on the security group page, depending on the scenario:
    • If you only need to export inbound rules or outbound rules, you can click the download button at the top right of the rule list under the corresponding tab and choose to export the current page or all . This will export the rules in CSV format.
    • If you need to export all inbound and outbound rules, click Actions > Export Rule. This will export the rules in CSV format.
    After exporting, you can import them into the target security group following the steps above.

Associate VM NIC

After adding rules to a security group, you can choose the following paths to bind the security group to virtual machine NICs based on your scenario:
  • If you need to bind the security group to multiple virtual machine NICs, you can select target interfaces in bulk on the VM NIC page of the security group, and follow the example below to bind them:
    • Network: Select the network scope applicable to the security group, choosing either all distributed port groups or specific port groups in the data center.
    • NIC: Select target NIC to bind.
      Note: If the IP address of a virtual machine NIC is shown as empty on the platform, the default security group rule (intra-group communication rule) will not apply to that interface.
  • If you need to bind multiple security groups to a virtual machine NIC, you can do so on the Overview page of the target virtual machine, using Edit Configuration to bind security groups to the virtual machine NICs in bulk. The smaller the number assigned to a security group, the higher its priority for taking effect.
    Note: Please configure carefully to avoid conflicts between rules across different security groups.

Modify Security Groups and Related Rules

After creating a new security group, its rules, and binding them to virtual machine network interfaces, if you need to modify or delete the security group and related rules, refer to the content in this section for guidance.

Security Group

If you need to change the enabled status of a security group, you can use the Enable and Disable operations to make the changes.

If you need to modify the name and description of a security group, you can click Edit Name and Description in the operation column of the target security group to make the changes.

If you need to unbind virtual machine network interfaces from a security group, follow the instructions below based on your scenario:
  • If you need to unbind multiple virtual machine network interfaces from a security group, you can select the target interfaces on the VM NIC page of the security group and click Disassociate VM NIC to unbind them.
  • If you need to unbind multiple virtual machine network interfaces from a security group, you can use Edit Configuration on the Overview page of the target virtual machine to unbind the security group from the virtual machine network interfaces in bulk.
If you are certain that you no longer need an existing security group, you can click Delete in the operation column of the target security group to delete it.
Note: Deleting a security group will also delete any custom rules created for the security group. Please proceed with caution.

Security Group Rules

If you wish to modify the system default rules, note that security group rules are divided into system default rules and custom rules. The system default rule is the intra-group communication rule, which only supports the disable operation.

If you need to perform operations on custom-added or imported security group rules, you can go to the Overview page of the target security group and select the Ingress Rule or Egress Rule tab as needed, and perform the following operations based on your scenario:
  • If you need to modify the enabled status of individual or multiple security group rules, you can use the Enable and Disable operations to make the changes.
  • If you need to modify the configuration of a single security group rule, such as priority, allow or deny policy, protocol and port, source/destination, enabled status, and description, you can click Edit Rule in the operation column of the target security group and make the necessary changes.
  • If you need to adjust the priority of individual or multiple security group rules, you can click the Adjust Priority button and adjust the relative priority order of the rules as needed by dragging. Value range: integers within the range of 1-100. Higher numbers indicate lower priority.
  • If you are certain that you no longer need a particular security group rule or several rules, select the target rule(s) and click Delete to delete them.
上一篇Storage Management下一篇O&M Management