Security Groups

The management and datapath security groups are associated with the respective interfaces on the Multicloud Defense Gateway instance, as described in the subnets section above.

The management security group must allow outbound traffic that allows the gateway instance to communicate with the controller. Optionally, for inbound rules, enable port 22 (SSH) to allow SSH access to the gateway instance. SSH is not mandatory for the Multicloud Defense Gateway to function properly.

The datapath security group is attached to the datapath interface and allows traffic from the Internet to the Multicloud Defense Gateway. Currently the Multicloud Defense Controller does not manage this security group. An outbound rule must exist, allowing the traffic to egress this interface. Inbound ports must be opened for each port that is configured in the Multicloud Defense Controller security policy and used by the Multicloud Defense Gateway.

For example, if an application is running on port 3000 and is proxied by the Multicloud Defense Gateway on port 443, port 443 must be opened on the datapath security group. This example also implies that port 3000 is open on the security group attached to your application.