ZStack Cloud 4.7.21 enhances the security group feature from the flowing aspects.
In previous versions, security rules support only allowlist mechanism. This means that all rules use the Allow policy which could specify which flows are allowed but could not directly define which flows are denied.
Starting from ZStack Cloud 4.7.21, security rules support a blocklist mechanism and can use a Reject policy to deny specified ingress/egress rules. This policy mainly applies to scenarios where most flows need to be allowed and only a small portion need to be denied. The blocklist mechanism further increases the flexibility of security groups.
As a security group can have both Allow and Reject rules, to avoid a conflict brought by two rules on a same object (flow source or destination), you can set rule priorities. On the same object, only the rule with the highest priority take effect. You can manually select a priority for each rule, or directly drag and drop rules to adjust their priorities. Just choose one method suitable for you.
ZStack Cloud 4.7.21 supports two object types: IP address/CIDR and security group. You can choose only one type for one rule.
When you choose the IP address/CIDR type, various address formats are supported, including IP address, IP range (Start IP-End IP), and CIDR. You can add one or more (up to 10) addresses in various formats for one rule, which effectively improve the configuration flexibility.
For security rules whose protocol is TCP or UDP, you need to set the authorization port (s) . ZStack Cloud 4.7.21 allows you to add one or more (up to 10) ports and port ranges for a rule.
Starting from ZStack Cloud 4.7.21, you can export security rules from a security group and import them to another security group, thus finishing rule configurations in an efficient way.
In previous versions, you have to attach a security group to an L3 network first, and then attach it to NICs on this L3 network, which means that the L3 network is a required parameter during you attaching a security group to a NIC. This prerequisite is removed in ZStack Cloud 4.7.21 and you can attach the security group to any NIC directly. However, you can still use L3 network as an optional parameter that help you filter NICs quickly.
In previous versions, it has been allowed to attach more than one security group to a NIC. ZStack Cloud 4.7.21 allows you to set priorities for these security groups to avoid conflicts brought by multiple rules in multiple groups. The NIC matches the rules in the group with the highest priority first.
Starting from ZStack Cloud 4.7.21, after joining in a security group , except for flows stipulated by the security group rules, the NIC rejects all other ingress flows and allows all other egress flows by default. You can modify this default policy to flexibly control the flows that are not denied by security groups.
Starting from ZStack Cloud 4.7.21, a load balancer can redirect all flows accessing an HTTP listener to an HTTPS listener to process. With this feature aligning with the trend of increasing HTTPS websites that help ensure the business security, users can conveniently access an HTTPS website without having to remember its HTTPS URL clearly.
In earlier versions, smart NIC has been made compatible with the H76C system. Starting from ZStack Cloud 4.7.21, smart NIC becomes compatible with the H79C system. You can now use smart NICs on a H76C-based as well as a H79C-based platform to improve network performance.
Back to Top
Email Us
contact@zstack.ioEmail Us
contact@zstack.ioEmail Us
contact@zstack.ioThe download link is sent to your email address.
If you don't see it, check your spam folder, subscription folder, or AD folder. After receiving the email, click the URL to download the documentation.Thank you for using ZStack products and services.
Submit successfully.
We'll connect soon.Thank you for using ZStack products and services.
