Appendix A: Security Group (SG)

Alibaba Cloud has a limitation where virtual machine with multiple network interfaces cannot connect to different Virtual Private Cloud (VPCs). For example, a VM with two NICs, NIC1 and NIC2, will not be able to connect to VPC1 and VPC2 respectively.

The following figure depicts the Virtual Machine with two NICs Connecting to VPC1 and VPC2:

Alibaba Cloud supports a virtual machine with multiple NICs to connect to different Subnets under a same Virtual Private Cloud. For example, a VM with two NICs, NIC1 and NIC2, can connect to ‘Subnet1’ and ‘Subnet2’ where these subnets exist under a same Virtual Private Cloud respectively.

The following figure depicts the Virtual Machine with two NICs Connecting to Subnet1 and Subnet2:

Alibaba Cloud provides isolation between different VPCs. But it does not provide the same kind of isolation when it comes to subnets in the same VPC. For example, consider a VPC has two subnets, Subnet1 and Subnet2. And consider two VMs, VM-1 and VM-2, which are connected to Subnet1 and Subnet2 respectively. In this scenario VM-1 can access the resources from VM-2 and vice versa.

The following figure depicts the Virtual Machine VM-1 can Access Resources in VM-2 and Vice Versa:

Application isolation is an important concern in enterprise environments, as enterprise customers seek to protect various environments from unauthorized or unwanted access. To achieve the traffic isolation between subnets, go for an option of filtering traffic using “Security Group” provided by Alibaba Cloud.

The following figure depicts the Traffic Filtering by Alibaba Cloud Support Group:

Pulse Connect Secure, when provisioned through the Terraform template provided by Pulse Secure, creates three subnets under a virtual private cloud named “PCSVirtualNetwork”. The three Subnets are:

1.vsw-zone-a-pcs-int-port-subnet

2.vsw-zone-a-pcs-ext-port-subnet

3.vsw-zone-a-pcs-mgmt-port-subnet

Along with above mentioned subnets, create the following three Security Groups (SG) policies:

1.sg_pcs_int_port

2.sg_pcs_ext_port

3.sg_pcs_mgmt_port

The following figure depicts the SG External, Internal and Management Subnets:

In Security Group (SG) we need to create policies for Inbound traffic.

1.Select Elastic Compute Service > Network & Security > Security Groups.

2.The list of SG Inbound rules created “sg_pcs_ext_port” are:

3.The list of SG Inbound rules created “sg_pcs_int_port“ are:

4.The list of SG Inbound rules created “sg_pcs_mgmt_port” are: