【快速入門】1.103-快速入門-創建安全和規則 · Terraform阿里云實踐秘籍

## 創建防火墻 ## 1. 安全組是一種虛擬防火墻，具備狀態檢測和數據包過濾能力，用于在云端劃分安全域。通過配置安全組規則，您可以控制安全組內ECS實例的入流量和出流量。 2. 您使用Xshell客戶端遠程連接Linux系統ECS實例時，當安全組檢測到從公網或內網有SSH請求，會逐一檢查入方向上安全組規則、發送請求的設備的IP地址是否已存在、優先級是為同類規則第一、授權策略是否為允許、22端口是否開啟等。只有匹配到一條安全組規則允許放行該請求時，方才建立數據通信。下圖為使用Xshell遠程連接Linux系統ECS實例的規則匹配舉例。 ![安全組](https://img.kancloud.cn/3f/34/3f34c6dd7cfd6e5ebf70e28fa59653bf_1097x306.png) 3. 代碼 ``` resource "alicloud_security_group" "group" { name = "sc" description = "course security group" vpc_id = alicloud_vpc.vpc.id } resource "alicloud_security_group_rule" "allow_22" { # The type of rule being created. #Valid options are ingress (inbound) or egress (outbound). type = "ingress" # the protocol. Can be tcp, udp, icmp, gre or all. ip_protocol = "tcp" #Network type, can be either internet or intranet, #the default value is internet. nic_type = "intranet" # Authorization policy, can be either accept or drop, #the default value is accept policy = "accept" # the range of port numbers relevant to the IP protocol. Default to "-1/-1". When the protocol is tcp or udp, each side port number range from 1 to 65535 and '-1/-1' will be invalid. For example, 1/200 means that the range of the port numbers is 1-200. Other protocols' 'port_range' can only be "-1/-1", and other values will be invalid port_range = "22/22" # The target security group ID within the same region. security_group_id = alicloud_security_group.group.id # The target IP address range. The default value is 0.0.0.0/0 (which means no restriction will be applied). Other supported formats include 10.159.6.18/12. Only IPv4 is supported cidr_ip = "0.0.0.0/0" } ``` ## 網絡acl ## 1. 網絡訪問控制列表（ACL）是 VPC 中的網絡訪問控制功能，可以將網絡 ACL 與交換機進行關聯，實現對一個或多個子網流量的訪問控制。規則與安全組相似，用戶可以對網絡 ACL 的規則進行自主設置自定規則。網絡 ACL 的規則是無狀態的，設置入站規則允許某些請求后，需要同時設置相應的出站規則，否則可能會導致某些請求無法響應。 ![網絡acl](https://img.kancloud.cn/08/29/082917c4a3a166ea7063df550c51d2b3_1280x720.png) ``` data "alicloud_zones" "default" { available_resource_creation = "VSwitch" } resource "alicloud_vpc" "default" { cidr_block = "172.16.0.0/12" vpc_name = "VpcConfig" } resource "alicloud_vswitch" "default" { vpc_id = alicloud_vpc.default.id vswitch_name = "vswitch" cidr_block = cidrsubnet(alicloud_vpc.default.cidr_block, 4, 4) zone_id = data.alicloud_zones.default.ids.0 } resource "alicloud_network_acl" "default" { vpc_id = alicloud_vpc.default.id network_acl_name = "network_acl" description = "network_acl" ingress_acl_entries { description = "tf-testacc" network_acl_entry_name = "tcp23" source_cidr_ip = "196.168.2.0/21" policy = "accept" port = "22/80" protocol = "tcp" } egress_acl_entries { description = "tf-testacc" network_acl_entry_name = "tcp23" destination_cidr_ip = "0.0.0.0/0" policy = "accept" port = "-1/-1" protocol = "all" } resources { resource_id = alicloud_vswitch.default.id resource_type = "VSwitch" } } ```