-
Notifications
You must be signed in to change notification settings - Fork 51
SecurityGroup Management Guide
ByoungSeob Kim edited this page Feb 4, 2026
·
3 revisions
- Users can create Security Groups to control inbound/outbound network traffic for VMs.
- Security Groups belong to a specific VPC and can contain one or more security rules.
- CB-Spider Security Groups operate by defining Allow Rules.
- The relationship between Security Groups and VMs is shown in the diagram below.
┌─────────────────────────────────────────────────────────────┐
│ CB-Spider Security Group │
│ │
│ VPC (10.0.0.0/16) │
│ ├── SecurityGroup-1 │
│ │ ├── Rule: Inbound TCP 22 from 0.0.0.0/0 │
│ │ ├── Rule: Inbound TCP 80 from 0.0.0.0/0 │
│ │ └── Rule: Outbound ALL -1 to 0.0.0.0/0 │
│ │ └── Applied to: VM-1, VM-2 │
│ │ │
│ └── SecurityGroup-2 │
│ ├── Rule: Inbound TCP 3306 from 10.0.0.0/16 │
│ ├── Rule: Outbound ALL -1 to 0.0.0.0/0 │
│ └── Applied to: VM-3 │
└─────────────────────────────────────────────────────────────┘
When creating a Security Group, the default rules are as follows (visibility may vary by CSP):
- inbound: Block all traffic
- outbound: Allow all traffic
Each Security Rule is defined by the following attributes:
| Attribute | Description | Examples |
|---|---|---|
| Direction | Traffic direction |
inbound | outbound
|
| IPProtocol | Target protocol |
ALL, TCP, UDP, ICMP
|
| FromPort | Starting port | TCP/UDP: 1~65535ICMP/ALL: -1
|
| ToPort | Ending port | TCP/UDP: 1~65535ICMP/ALL: -1
|
| CIDR | Target address range |
0.0.0.0/0, ::/0, 10.0.0.0/16, etc. |
- Users can receive Security Group information in JSON format using the following CB-Spider REST API.
# Security Group Management
POST /spider/securitygroup - Create SecurityGroup
GET /spider/securitygroup - List SecurityGroups
GET /spider/securitygroup/vpc/{VPCName} - List SecurityGroups in VPC
GET /spider/securitygroup/{Name} - Get SecurityGroup
DELETE /spider/securitygroup/{Name} - Delete SecurityGroup
# Security Group Registration/Unregistration (Integration with existing CSP Security Group)
POST /spider/regsecuritygroup - Register SecurityGroup
DELETE /spider/regsecuritygroup/{Name} - Unregister SecurityGroup
# Security Group List Query (All)
GET /spider/allsecuritygroup - List All SecurityGroups (CB-Spider + CSP)
GET /spider/allsecuritygroupinfo - List All SecurityGroups Info
# Security Group Statistics
GET /spider/countsecuritygroup - Count All SecurityGroups
GET /spider/countsecuritygroup/{ConnectionName} - Count SecurityGroups by Connection
# Direct CSP Security Group Deletion
DELETE /spider/cspsecuritygroup/{Id} - Delete CSP SecurityGroup
# Security Rules Add/Remove
POST /spider/securitygroup/{SGName}/rules - Add Rules
DELETE /spider/securitygroup/{SGName}/rules - Remove Rules
Security Group Information (SecurityInfo)
| Field | Description | Examples |
|---|---|---|
| IId | Security Group identifier information (NameId, SystemId) | ● {Name: "sg-01", SystemId: "sg-1234abcd"} |
| VpcIID | VPC identifier information (NameId, SystemId) | ● {Name: "vpc-01", SystemId: "vpc-5678efgh"} |
| SecurityRules | List of Security Rule information | ● See Security Rule information below |
| TagList | List of tags assigned to the Security Group | ● [{Key: "Environment", Value: "Production"}] |
| KeyValueList | Additional information provided by CSP in Key/Value List format | ● [{Key: "GroupId", Value: "sg-1234"}] |
Security Rule Information (SecurityRuleInfo)
| Field | Description | Examples |
|---|---|---|
| Direction | Traffic direction | ● "inbound", "outbound" |
| IPProtocol | Protocol type | ● "TCP", "UDP", "ICMP", "ALL" |
| FromPort | Starting port number | ● "22", "80", "1", "-1"(ALL/ICMP) |
| ToPort | Ending port number | ● "22", "80", "65535", "-1"(ALL/ICMP) |
| CIDR | Target IP address range (CIDR notation) | ● "0.0.0.0/0", "10.0.0.0/16", "::/0" |
Protocol-specific Security Rule Details
| Direction | IPProtocol | FromPort | ToPort | CIDR | Note |
|---|---|---|---|---|---|
| inbound, outbound | ALL | -1 | -1 | 0.0.0.0/0, ::/0, etc. | Allow all traffic |
| inbound, outbound | TCP | 1~65535 | 1~65535 | 0.0.0.0/0, etc. | e.g., SSH(22), HTTP(80), HTTPS(443) |
| inbound, outbound | UDP | 1~65535 | 1~65535 | 0.0.0.0/0, etc. | e.g., DNS(53), NTP(123) |
| inbound, outbound | ICMP | -1 | -1 | 0.0.0.0/0, etc. | Network layer, no port needed e.g., ping, traceroute |
- API call and result example for creating an
sg-webSecurity Group allowing SSH and HTTP access in AWS:
curl -sX 'POST' 'http://localhost:1024/spider/securitygroup' \
-H 'Content-Type: application/json' \
-d '{
"ConnectionName": "aws-config01",
"ReqInfo": {
"Name": "sg-web",
"VPCName": "vpc-01",
"SecurityRules": [
{
"Direction": "inbound",
"IPProtocol": "TCP",
"FromPort": "22",
"ToPort": "22",
"CIDR": "0.0.0.0/0"
},
{
"Direction": "inbound",
"IPProtocol": "TCP",
"FromPort": "80",
"ToPort": "80",
"CIDR": "0.0.0.0/0"
},
{
"Direction": "inbound",
"IPProtocol": "TCP",
"FromPort": "443",
"ToPort": "443",
"CIDR": "0.0.0.0/0"
},
{
"Direction": "outbound",
"IPProtocol": "ALL",
"FromPort": "-1",
"ToPort": "-1",
"CIDR": "0.0.0.0/0"
}
]
}
}' | jqResponse Example:
{
"IId": {
"NameId": "sg-web",
"SystemId": "sg-0a1b2c3d4e5f67890"
},
"VpcIID": {
"NameId": "vpc-01",
"SystemId": "vpc-1a2b3c4d"
},
"SecurityRules": [
{
"Direction": "inbound",
"IPProtocol": "TCP",
"FromPort": "22",
"ToPort": "22",
"CIDR": "0.0.0.0/0"
},
{
"Direction": "inbound",
"IPProtocol": "TCP",
"FromPort": "80",
"ToPort": "80",
"CIDR": "0.0.0.0/0"
},
{
"Direction": "inbound",
"IPProtocol": "TCP",
"FromPort": "443",
"ToPort": "443",
"CIDR": "0.0.0.0/0"
},
{
"Direction": "outbound",
"IPProtocol": "ALL",
"FromPort": "-1",
"ToPort": "-1",
"CIDR": "0.0.0.0/0"
}
],
"KeyValueList": [
{
"Key": "GroupId",
"Value": "sg-0a1b2c3d4e5f67890"
},
{
"Key": "GroupName",
"Value": "sg-web"
}
]
}- API call and provided information example for AWS
sg-webSecurity Group:
curl -sX 'GET' 'http://localhost:1024/spider/securitygroup/sg-web?ConnectionName=aws-config01' | jqResponse Example:
{
"IId": {
"NameId": "sg-web",
"SystemId": "sg-0a1b2c3d4e5f67890"
},
"VpcIID": {
"NameId": "vpc-01",
"SystemId": "vpc-1a2b3c4d"
},
"SecurityRules": [
{
"Direction": "inbound",
"IPProtocol": "TCP",
"FromPort": "22",
"ToPort": "22",
"CIDR": "0.0.0.0/0"
},
{
"Direction": "inbound",
"IPProtocol": "TCP",
"FromPort": "80",
"ToPort": "80",
"CIDR": "0.0.0.0/0"
},
{
"Direction": "inbound",
"IPProtocol": "TCP",
"FromPort": "443",
"ToPort": "443",
"CIDR": "0.0.0.0/0"
},
{
"Direction": "outbound",
"IPProtocol": "ALL",
"FromPort": "-1",
"ToPort": "-1",
"CIDR": "0.0.0.0/0"
}
]
}curl -sX 'GET' 'http://localhost:1024/spider/securitygroup?ConnectionName=aws-config01' | jqResponse Example:
{
"securitygroup": [
{
"IId": {
"NameId": "sg-web",
"SystemId": "sg-0a1b2c3d4e5f67890"
},
"VpcIID": {
"NameId": "vpc-01",
"SystemId": "vpc-1a2b3c4d"
},
"SecurityRules": [...]
},
{
"IId": {
"NameId": "sg-db",
"SystemId": "sg-1b2c3d4e5f678901"
},
"VpcIID": {
"NameId": "vpc-01",
"SystemId": "vpc-1a2b3c4d"
},
"SecurityRules": [...]
}
]
}curl -sX 'GET' 'http://localhost:1024/spider/securitygroup/vpc/vpc-01?ConnectionName=aws-config01' | jqResponse Example:
{
"securitygroup": [
{
"IId": {
"NameId": "sg-web",
"SystemId": "sg-0a1b2c3d4e5f67890"
},
"VpcIID": {
"NameId": "vpc-01",
"SystemId": "vpc-1a2b3c4d"
},
"SecurityRules": [...]
}
]
}- API call example for adding new rules to an existing Security Group:
curl -sX 'POST' 'http://localhost:1024/spider/securitygroup/sg-web/rules' \
-H 'Content-Type: application/json' \
-d '{
"ConnectionName": "aws-config01",
"ReqInfo": {
"RuleInfoList": [
{
"Direction": "inbound",
"IPProtocol": "TCP",
"FromPort": "3306",
"ToPort": "3306",
"CIDR": "10.0.0.0/16"
},
{
"Direction": "inbound",
"IPProtocol": "ICMP",
"FromPort": "-1",
"ToPort": "-1",
"CIDR": "0.0.0.0/0"
}
]
}
}' | jqResponse Example:
{
"IId": {
"NameId": "sg-web",
"SystemId": "sg-0a1b2c3d4e5f67890"
},
"VpcIID": {
"NameId": "vpc-01",
"SystemId": "vpc-1a2b3c4d"
},
"SecurityRules": [
{
"Direction": "inbound",
"IPProtocol": "TCP",
"FromPort": "22",
"ToPort": "22",
"CIDR": "0.0.0.0/0"
},
{
"Direction": "inbound",
"IPProtocol": "TCP",
"FromPort": "80",
"ToPort": "80",
"CIDR": "0.0.0.0/0"
},
{
"Direction": "inbound",
"IPProtocol": "TCP",
"FromPort": "443",
"ToPort": "443",
"CIDR": "0.0.0.0/0"
},
{
"Direction": "inbound",
"IPProtocol": "TCP",
"FromPort": "3306",
"ToPort": "3306",
"CIDR": "10.0.0.0/16"
},
{
"Direction": "inbound",
"IPProtocol": "ICMP",
"FromPort": "-1",
"ToPort": "-1",
"CIDR": "0.0.0.0/0"
},
{
"Direction": "outbound",
"IPProtocol": "ALL",
"FromPort": "-1",
"ToPort": "-1",
"CIDR": "0.0.0.0/0"
}
]
}curl -sX 'DELETE' 'http://localhost:1024/spider/securitygroup/sg-web/rules' \
-H 'Content-Type: application/json' \
-d '{
"ConnectionName": "aws-config01",
"ReqInfo": {
"RuleInfoList": [
{
"Direction": "inbound",
"IPProtocol": "TCP",
"FromPort": "3306",
"ToPort": "3306",
"CIDR": "10.0.0.0/16"
}
]
}
}' | jqResponse Example:
{
"Result": "true"
}curl -sX 'DELETE' 'http://localhost:1024/spider/securitygroup/sg-web' \
-H 'Content-Type: application/json' \
-d '{
"ConnectionName": "aws-config01"
}' | jqResponse Example:
{
"Result": "true"
}- Use the
force=trueoption to forcefully delete a Security Group connected to VMs.
curl -sX 'DELETE' 'http://localhost:1024/spider/securitygroup/sg-web?force=true' \
-H 'Content-Type: application/json' \
-d '{
"ConnectionName": "aws-config01"
}' | jq-
Follow these steps to select the target CSP and manage Security Group information:
- Select Connection: Choose the target CSP Connection from the top of AdminWeb
- Access Security Group Menu: Select "Security Group" from the left menu
- Create Security Group: Click "Create SecurityGroup" button and enter required information
- Manage Security Rules: Add/delete Rules from the Security Group details screen
When viewing the Security Group list in AdminWeb, the following information is displayed:
- Security Group Name
- Security Group SystemId (CSP ID)
- VPC Name
- Number of Rules
- Creation Time
- Action Buttons (Details, Delete, etc.)
When creating a Security Group in AdminWeb, enter the following information:
- Security Group Name: Security Group name to be managed in CB-Spider
- VPC Name: VPC to which the Security Group belongs
-
Security Rules (at least 1 recommended):
- Direction (inbound/outbound)
- Protocol (ALL/TCP/UDP/ICMP)
- Port Range (FromPort ~ ToPort)
- CIDR (IP address range)
- Tags (optional)
The Security Group details screen provides the following information and actions:
Basic Information:
- Security Group IId (NameId, SystemId)
- VPC IId (NameId, SystemId)
- KeyValueList (Additional CSP information)
Security Rules Management:
- Display Security Rules list
- Add Rules button: Add new Rule
- Remove Rules button: Delete individual Rule
- View Rule details (Direction, Protocol, Port, CIDR)
Action Buttons:
- Delete SecurityGroup: Delete Security Group
- Refresh: Refresh information
- Create Security Group (Create SecurityGroup)
- Add Inbound Rules:
- SSH: TCP 22 from administrator IP
- HTTP: TCP 80 from 0.0.0.0/0
- HTTPS: TCP 443 from 0.0.0.0/0
- Outbound Rules: ALL -1 to 0.0.0.0/0 (default)
- Specify the Security Group when creating VMs
- Create Security Group
- Add Inbound Rules:
- MySQL: TCP 3306 from application server CIDR (e.g., 10.0.1.0/24)
- SSH: TCP 22 from administrator IP
- Outbound Rules: Configure restrictively as needed
- Apply the Security Group to DB server VM
- Check the information (SystemId) of Security Group that already exists in CSP
- Register to CB-Spider through Register SecurityGroup API
- Manage the Security Group in CB-Spider and add/delete Rules
-
Web Tier Security Group:
- Inbound: TCP 80, 443 from Internet
- Outbound: TCP 3000 to App Tier CIDR
-
App Tier Security Group:
- Inbound: TCP 3000 from Web Tier CIDR
- Outbound: TCP 3306 to DB Tier CIDR
-
DB Tier Security Group:
- Inbound: TCP 3306 from App Tier CIDR
- Outbound: Minimum privilege
-
CIDR Configuration:
0.0.0.0/0allows all IPs, requiring security caution - Port Range: Maintain FromPort ≤ ToPort relationship
-
Protocol-specific Port Configuration:
- TCP/UDP: Use 1~65535 range
- ICMP/ALL: Use -1 (no port concept)
- Duplicate Rules: Behavior may vary by CSP when adding identical rules
- Security Groups connected to VMs cannot be deleted
- Force delete (force=true) may change the Security Group settings of connected VMs (Caution!)
- Default Security Group cannot be deleted (CSP policy)
- Time for actual effect after AddRules()/RemoveRules() call:
- Generally: 7~10 seconds
- Azure: 60~80 seconds (requires longer wait time)
- Previous rules may still apply if tested immediately after rule changes, so sufficient waiting is necessary
- ALL Protocol: Means all traffic, port set to -1
- ICMP Protocol: Network layer protocol with no port concept, set to -1
-
Install & Start Guide
-
Usage Guide
- Usage Overview
- Connection Management
- Region/Zone Info
- Quota Info
- VM Price Info
- VM Image Info
- VM Spec Info
- VPC/Subnet Management
- Security Group Management
- KeyPair Management
- VM Management
- Disk Management
- Network Load Balancer(NLB) Management
- Kubernetes Cluster Management
- Object Storage(S3) Management
- Tag Management
- Cloud Driver Capability Info
- Function Menu
- MetaDB Auto Backup
- How to get CSP Credentials
- Tutorials
- Developer Guide
- Cloud Driver Developer Guide
- CB‐Spider Multi‐Cloud Driver Developer Team Skill
- Cloud Driver Developer Guide-WIP
- VM SSH Key Development Guide-WIP
- VM User Development Guide
- What is the CSP SDK API Version of drivers
- Region Zone Info and Driver API
- (StartVM TerminateVM) API Call Counts and Waiting
- StartVM and TerminateVM Main Flow of drivers
- VM Root Disk Configuration Guide
- Security Group Rules and Driver API
- Network Load Balancer and Driver API
- VM Snapshot, MyImage and Disk Overview
- Kubernetes and Driver API(PMKS, K8S)
- Tag and Cloud Driver API
- AnyCall API Extension Guide
- How to ...
- How to Use AWS S3 with Credentials
- How to Use Alibaba ECS i1.* Instance Types
- How to provision GPU VMs
- How to test CB Spider with Mock Driver
- How to install CB Spider on WSL2 under 공유기/사설망
- How to install CB Spider on macOS
- How to run CB Spider Container on macOS
- How to get Azure available Regions
- How to profile memory usage in Golang
- [For Cloud-Migrator]