Security Group Enhancement

ZStack Cloud 4.7.21 enhances the security group feature from the flowing aspects.

Supports Blocklist and Priority Mechanism of Security Rules

In previous versions, security rules support only allowlist mechanism. This means that all rules use the Allow policy which could specify which flows are allowed but could not directly define which flows are denied.

Starting from ZStack Cloud 4.7.21, security rules support a blocklist mechanism and can use a Reject policy to deny specified ingress/egress rules. This policy mainly applies to scenarios where most flows need to be allowed and only a small portion need to be denied. The blocklist mechanism further increases the flexibility of security groups.

As a security group can have both Allow and Reject rules, to avoid a conflict brought by two rules on a same object (flow source or destination), you can set rule priorities. On the same object, only the rule with the highest priority take effect. You can manually select a priority for each rule, or directly drag and drop rules to adjust their priorities. Just choose one method suitable for you.

Figure 1. Blocklist and Priority Mechanism of Security Rule


Optimizes Security Rule Settings

ZStack Cloud optimizes the setting methods of the following security rule parameters:
  • Supports various formats of addresses as authorization object (flow source or destination).

    ZStack Cloud 4.7.21 supports two object types: IP address/CIDR and security group. You can choose only one type for one rule.

    When you choose the IP address/CIDR type, various address formats are supported, including IP address, IP range (Start IP-End IP), and CIDR. You can add one or more (up to 10) addresses in various formats for one rule, which effectively improve the configuration flexibility.

  • Supports one or more ports/port ranges for a rule.

    For security rules whose protocol is TCP or UDP, you need to set the authorization port (s) . ZStack Cloud 4.7.21 allows you to add one or more (up to 10) ports and port ranges for a rule.

    Figure 2. Optimizes Setting Method of Authorization Object and Port


Supports Security Rule Import and Export

Starting from ZStack Cloud 4.7.21, you can export security rules from a security group and import them to another security group, thus finishing rule configurations in an efficient way.

Figure 3. Import and Export Security Rule


Optimizes Process of Attaching Security Group to NIC

ZStack Cloud 4.7.21 optimizes the process of attaching security groups to NICs from the following aspects:
  • Changes L3 network from a required parameter to an optional parameter.

    In previous versions, you have to attach a security group to an L3 network first, and then attach it to NICs on this L3 network, which means that the L3 network is a required parameter during you attaching a security group to a NIC. This prerequisite is removed in ZStack Cloud 4.7.21 and you can attach the security group to any NIC directly. However, you can still use L3 network as an optional parameter that help you filter NICs quickly.

  • Allows you to set priorities for multiple security groups on a same NIC.

    In previous versions, it has been allowed to attach more than one security group to a NIC. ZStack Cloud 4.7.21 allows you to set priorities for these security groups to avoid conflicts brought by multiple rules in multiple groups. The NIC matches the rules in the group with the highest priority first.

  • Allows you to set a policy to control flows that are not stipulated by security groups.

    Starting from ZStack Cloud 4.7.21, after joining in a security group , except for flows stipulated by the security group rules, the NIC rejects all other ingress flows and allows all other egress flows by default. You can modify this default policy to flexibly control the flows that are not denied by security groups.


Flow Redirection from HTTP Listener to HTTPS Listener

Starting from ZStack Cloud 4.7.21, a load balancer can redirect all flows accessing an HTTP listener to an HTTPS listener to process. With this feature aligning with the trend of increasing HTTPS websites that help ensure the business security, users can conveniently access an HTTPS website without having to remember its HTTPS URL clearly.

Figure 1. Enable HTTP Redirect for an HTTP Listener



Smart NIC Compatible with H79C OS

In earlier versions, smart NIC has been made compatible with the H76C system. Starting from ZStack Cloud 4.7.21, smart NIC becomes compatible with the H79C system. You can now use smart NICs on a H76C-based as well as a H79C-based platform to improve network performance.


Archives

Download Document Archives

Back to Top

Download

Already filled the basic info?Click here.

Enter at least 2 characters.
Invalid mobile number.
Enter at least 4 characters.
Invalid email address.
Wrong code. Try again. Send Code Resend Code (60s)

An email with a verification code will be sent to you. Make sure the address you provided is valid and correct.

同意 不同意

I have read and concur with the Site TermsPrivacy PolicyRules and Conventions on User Management of ZStack Cloud

Download

Not filled the basic info yet? Click here.

Invalid email address or mobile number.
同意 不同意

I have read and concur with the Site TermsPrivacy PolicyRules and Conventions on User Management of ZStack Cloud

Email Us

contact@zstack.io
ZStack Training and Certification
Enter at least 2 characters.
Invalid mobile number.
Enter at least 4 characters.
Invalid email address.
Wrong code. Try again. Send Code Resend Code (60s)

同意 不同意

I have read and concur with the Site TermsPrivacy PolicyRules and Conventions on User Management of ZStack Cloud

Email Us

contact@zstack.io
Request Trial
Enter at least 2 characters.
Invalid mobile number.
Enter at least 4 characters.
Invalid email address.
Wrong code. Try again. Send Code Resend Code (60s)

同意 不同意

I have read and concur with the Site TermsPrivacy PolicyRules and Conventions on User Management of ZStack Cloud

Email Us

contact@zstack.io

The download link is sent to your email address.

If you don't see it, check your spam folder, subscription folder, or AD folder. After receiving the email, click the URL to download the documentation.

The download link is sent to your email address.

If you don't see it, check your spam folder, subscription folder, or AD folder.
Or click on the URL below. (For Internet Explorer, right-click the URL and save it.)

Thank you for using ZStack products and services.

Submit successfully.

We'll connect soon.

Thank you for using ZStack products and services.