Network address groups

A network address group (NAG) is a collection of one or more external network address ranges, such as Classless Inter-Domain Routing (CIDRs), that are not directly related to provisioned network resources in your Power Virtual Server workspace. NAGs are used to categorize external network address ranges, such as those accessible over Transit Gateway or natively by PER, such as IBM Cloud Private endpoints.

NAGs are used as reference points in NSG rules to simplify NSG implementation by grouping multiple external IP addresses, subnets, or virtual network segments under a single entity (NAG). Instead of listing multiple IP addresses or subnets in an NSG security rule, you can refer to a NAG to apply the same rule to all addresses in that group.

Using NAGs provide the following benefits:

• Simplifies management of NSG rules for external network addresses
• Reduces complexity when you apply security policies across multiple addresses
• Improves scalability, as you can add new IP addresses, subnets, or virtual network segments to an NAG without modifying the NSG rules

Members

Members are one or more network interfaces that are provisioned in your Power Virtual Server workspace. A network interface can be identified by either its Ethernet MAC address or IPv4 address. The same network interface must not be added as a member to two different NSGs, one using the MAC address and the other using the IPv4 address. Doing so can lead to unexpected behavior.

NSGs are a collection of members and security rules. For more information, see rules.

An NSG member can only be associated with a single NSG. A provisioned network resource cannot belong to multiple NSGs concurrently.

Rules

Rules or security rules define the inbound network traffic that is allowed or denied from reaching members of an NSG. By default, all inbound network traffic is denied and does not reach any member of an NSG unless security rules are explicitly defined. To learn more about defining rules to allow inbound traffic, see Creating a new rule on an NSG.

All outbound traffic is automatically allowed.

Rules evaluation order

The order in which a rule identifies inbound network traffic to be allowed or denied depends on the following key factors:

• Deny rules are always evaluated first and take the highest precedence. If a Deny rule matches the traffic, the traffic is immediately blocked and the evaluation stops, regardless of any existing Allow rules.

• The system processes allow rules only after it completes processing deny rules. If no Deny rules are matched, the system proceeds to evaluate the Allow rules.

• If multiple Allow rules overlap, the first matching rule in the list is respected and applied. Overlapping rules do not cause conflicts. For example,

  • Rule A: Allow TCP All.

  • Rule B: Allow TCP Port 22.

    Result: Either rule might be applied, depending on which rule is matched first.

• Traffic that does not match any Allow rules is denied by default, following the implicit Deny rule.

NAG precedence in traffic matching

Review the following information to understand how inbound network traffic is matched to NAGs:

• Inbound network traffic is matched to the most specific CIDR in any custom NAGs. When Allow or Deny rules for an NAG is evaluated, the source IP address is matched against the most specific CIDR in a custom NAG and not the default NAG (0.0.0.0/0).

• If a source IP falls in a more specific NAG, it must have an explicit NSG rule allowing network traffic from that NAG.

• If a more specific CIDR exists in a custom NAG, relying on the default NAG (0.0.0.0/0) does not allow inbound traffic.

For example, consider a remote system and a custom NAG with the following configuration:

• Remote system with the IP address 10.55.55.2.
• Existing custom NAG with the CIDR 10.55.55.0/24.

To allow traffic from 10.55.55.2, an NSG rule must explicitly allow traffic from the custom NAG (10.55.55.0/24). This traffic does not match against the default NAG (0.0.0.0/0).

For more information about working with NAGs, see Creating and managing NAGs in a workspace.

Enabling or disabling NSG in a workspace

You can enable or disable the NSG feature in PER and enhanced CRN-enabled workspaces. However, you cannot enable NSG on previous, manual, VPN, or Cloud Connection workspaces.

To determine whether your Power Virtual Server workspace has the prerequisites to support NSGs, run the following IBM Cloud CLI command:

ibmcloud resource service-instance <WORKSPACE_CRN> -o json

Verify that the resourceCRNs property is present and its value is set to true:

"extensions": {
            "resourceCRNs": true
        },

To enable or disable the NSG feature on an existing workspace, complete the following steps:

1. Open the Power Virtual Server user interface in IBM Cloud.

2. Click Workspaces in the navigation panel. The Workspaces page is displayed with a list of existing workspaces.

3. Select the workspace on which you want to enable or disable the NSG feature. The "Workspace details" panel is displayed.

4. Set the Network security groups switch to Enabled or Disabled.

When the NSG feature is enabled on a workspace, a default NSG is automatically created containing members of any existing NIC attachments in the workspace with two rules. The first rule allows all bidirectional communication (Protocol=ALL) from other members in the “default” NSG. The second rule allows all bidirectional communication (Protocol=ALL) with the “default” NAG (0.0.0.0/0 network CIDR outside of the workspace).

Before you disable the network security groups feature on a workspace, you must delete all the existing NSGs and NAGs, except the NSG and NAG that are tagged as Default.

The default rules can be deleted to achieve complete isolation between members in the same NSG, as well as from external addresses. When the default rules are deleted, all inbound traffic is denied by default. To delete these rules, complete the steps that are listed in the Deleting rules from an existing NSG section.

Creating and managing NSGs in a workspace

You can create an NSG in your workspace either with the default configuration without defining any rules or members added to it, or you can create an NSG with inbound rules defined and members added during the NSG creation.

Creating an NSG with the default configuration

When you create an NSG in your workspace, you are not required to mandatorily define security rules or add members to the NSG. However, after an NSG is created with default settings, you can add rules and members to it later.

By default, all inbound network traffic is denied and does not reach any member of the network security group. To create an NSG with default configuration, complete the following steps:

1. Open the Power Virtual Server user interface in IBM Cloud.

2. Click Workspaces in the navigation panel. The Workspaces page is displayed with a list of existing workspaces.

3. Select the workspace in which you want to create the NSG. The "Workspace details" panel is displayed.

4. Click View virtual servers.

5. In the navigation panel, click Networking > Network security groups. The "Network security groups" page is displayed with a list of the existing NSGs on the Network security groups tab.

6. Click Create network security group. The "Create network security group" page is displayed.

7. In the General section, enter a name for the network security group in the Name field and click Continue.

8. To define Inbound security rules and add Members to the NSG later, click Continue > Finish > Create.

Creating an NSG with inbound rules and members

To allow or deny inbound traffic, inbound rules must be explicitly defined. To create and define an NSG with inbound rules and members, complete the following steps:

1. Open the Power Virtual Server user interface in IBM Cloud.

2. Click Workspaces in the navigation panel. The Workspaces page is displayed with a list of existing workspaces.

3. Select the workspace in which you want to create the NSG. The "Workspace details" panel is displayed.

4. Click View virtual servers.

5. In the navigation panel, click Networking > Network security groups. The "Network security groups" page is displayed with a list of the existing NSGs on the Network security groups tab.

6. Click Create network security group. The "Create network security group" panel is displayed.

7. In the General section, enter a name for the network security group in the Name field and click Continue.

8. In the Inbound rules (optional) section, click Create rule. The "Create rule" panel is displayed.

9. Select any of the following actions:

   • Allow: Use this option to allow network traffic from the specified Remote.
   • Deny: Use this option to create traffic exceptions by overriding the allow rules.

10. Select one of the following protocols based on the type of traffic that you want to control:

    • Transmission Control Protocol (TCP): Ideal for reliable, connection-oriented traffic such as web (HTTP/HTTPS), SSH, RDP, FTP, and databases. This protocol guarantees that all sent packets reach the destination and in the correct order.

    • User Datagram Protocol (UDP): Ideal for real-time communication, fast, and connection-less traffic such as DNS, VoIP, network monitoring, video streaming, and gaming. This protocol does not guarantee delivery, order, or error correction.

    • Internet Control Message Protocol (ICMP): Ideal for network diagnostics such as ping and traceroute. Unlike TCP or UDP, ICMP does not support data transmission between applications.

    • Any: Ideal for creating rules that apply to any protocol over a specific port or a set of ports. However, this option does not provide control over specific protocol-based security.

11. Depending on the protocol that you select from the list in the previous step, complete the following steps:

    • TCP

      1. Remote: Select a network security group or network address group to allow or deny traffic for the rule. If the network address group that you want is unavailable, click Create network address group to create one.

      2. Source port range: Specify the range of ports from which the inbound traffic originates from. The valid range is 1–65535.

      3. Destination port range: Specify the range of ports on which the inbound traffic is received. The valid range is 1–65535.

      4. Allowed/Denied flags: You can use the Advanced option to select one or more TCP flags from the list. Supported flags are:

         • ack
         • fin
         • rst
         • syn

    • UDP

      1. Remote: Select a network security group or network address group to allow or deny traffic for the rule. If you do not see the network address group that you want, click Create network address group to create one.

      2. Source port range: Specify the range of ports from which the inbound traffic originates. The valid range is 1–65535.

      3. Destination port range: Specify the range of ports on which the inbound traffic is received. The valid range is 1–65535.

    • ICMP

      1. Remote: Select a network security group or network address group to allow or deny traffic for the rule. If the network address group that you want is unavailable, click Create network address group to create one.

      2. ICMP Message type: Select the required message type from the list. Supported types are:

         • all
         • echo
         • echo-reply
         • source-quench
         • time-exceeded
         • destination-unreach

    • Any

      1. Remote: Select a network security group or network address group to allow or deny traffic for the rule. If the network address group that you want is unavailable, click Create network address group to create one.

12. Click Create rule.

13. Click Continue to add members to the NSG.

14. In the Members (optional) section, click Add member. All the existing virtual server instances that are part of the workspace is listed. If you do not see any virtual servers listed, you can create one by competing the steps that are provided at Creating an IBM Power Virtual Server.

    Adding members to a network security group allows you to control inbound network traffic to these members. A member can only be associated with one network security group at a time.

15. Select the virtual server instance and click Next. A list of network interfaces that belong to the virtual server instance is displayed.

16. Select one or more network interfaces from the list and click Add member.

17. Click Finish.

18. Click Create. You can find the NSG that you created listed on the Network security groups tab.

After the NSGs are created, you can manage them by performing the following actions:

• Renaming an NSG
• Cloning an NSG
• Deleting an NSG

Renaming an NSG

To rename an NSG, complete the following steps:

1. Open the Power Virtual Server user interface in IBM Cloud.

2. Click Workspaces in the navigation panel. The Workspaces page is displayed with a list of existing workspaces.

3. Select the workspace that contains the NSG to rename. The "Workspace details" panel is displayed.

4. Click View virtual servers.

5. In the navigation panel, click Networking > Network security groups. The "Network security groups" page is displayed with a list of the existing NSGs on the Network security groups tab.

6. Click the overflow menu (icon with 3 vertical dots) on the NSG entry that you want to rename and select Edit. The "Edit network security group details" panel is displayed.

7. Enter a new name for the NSG in the Name field and click Save.

Cloning an NSG

When you clone an NSG, a new network security group is created with the same rules and member configurations as the original NSG from which it was cloned. To clone an NSG, complete the following steps:

1. Open the Power Virtual Server user interface in IBM Cloud.

2. Click Workspaces in the navigation panel. The Workspaces page is displayed with a list of existing workspaces.

3. Select the workspace that contains the NSG to be cloned. The "Workspace details" panel is displayed.

4. Click View virtual servers.

5. In the navigation panel, click Networking > Network security groups. The "Network security groups" page is displayed with a list of the existing NSGs on the Network security groups tab.

6. Click the overflow menu (icon with 3 vertical dots) on the NSG entry that you want to clone and select Clone. The "Clone network security group" dialog is displayed.

7. Enter a name for the NSG in the Name field and click Clone.

Deleting an NSG

You can delete the NSGs that you have created. However, you cannot delete the default NSG that is created when the NSG feature is enabled on a Power Virtual Server workspace.

You cannot delete an NSG or NAG until all the associated rules and members are removed. For more information, see Deleting rules from an existing NSG and Removing members from an NSG.

To delete a NSG, complete the following steps:

1. Open the Power Virtual Server user interface in IBM Cloud.

2. Click Workspaces in the navigation panel. The Workspaces page is displayed with a list of existing workspaces.

3. Select the workspace that contains the NSG to delete. The "Workspace details" panel is displayed.

4. Click View virtual servers.

5. In the navigation panel, click Networking > Network security groups. The "Network security groups page" is displayed with a list of the existing NSGs on the Network security groups tab.

6. Click the overflow menu (icon with 3 vertical dots) on the NSG entry that you want to delete and select Delete. The "Delete network security group" confirmation message box appears.

7. Click Delete to initiate the deletion request. This action cannot be undone.

When you delete a Power Virtual Server workspace, all NSGs in that workspace are also deleted.

Creating and managing NAGs in a workspace

NAGs form a part of the inbound rules that defines inbound traffic from network addresses external to your Power Virtual Server workspace to members of an NSG. Since NAGs are used to identify network traffic that is external to the Power Virtual Server workspace, you can create NAGs in your workspace and add CIDR members to it. You can create up to 10 NAGs in a single workspace.

To create an NAG, complete the following steps:

1 Open the Power Virtual Server user interface in IBM Cloud.

2. Click Workspaces in the navigation panel. The Workspaces page is displayed with a list of existing workspaces.

3. Select the workspace in which you want to create the NAG. The "Workspace details" panel is displayed.

4. Click View virtual servers.

5. In the navigation panel, click Networking > Network security groups. The "Network security groups" page is displayed.

6. Select the Network address groups tab. A list of the existing NAGs is displayed.

7. Click Create network address group. The "Create network address group" panel is displayed.

8. Enter a name in the Name field for the NAG. Optionally, you can provide user tags in the User tags (optional) field.

9. Optionally, you can use the CIDR field to add members by adding external IP addresses through CIDR. Note that the same CIDR cannot be used in more than one NAG. Follow these guidelines for adding members using CIDR:

   • You must use a CIDR notation that is defined in RFC 1518 and RFC 1519 documents.
   • The valid CIDR format is <IPv4 address>/<number>. For example, 192.168.1.0/24 represents the IP range of 192.168.1.0 — 192.168.1.255 and 10.0.0.0/16 represents the IP range of 10.0.0.0—10.0.255.255.
   • Click Add another to add more members.

   You cannot add more than three members when creating an NAG. More members can be added after the NAG is created.

   Besides customer-defined NAGs, a default NAG is available for convenience consisting of the 0.0.0.0/0 CIDR.

   CIDR 161.26.0.0/16 can be used to identify IBM Cloud IaaS private endpoints such as DNS, Linux® software repositories, and NTP. CIDR 166.8.0.0/14 can be used to identify IBM Cloud PaaS private endpoints such as IBM Cloud Databases.

10. Click Create group.

After the NAGs are created, you can manage them by performing the following actions:

• Renaming an NAG
• Deleting an NAG

Renaming an NAG

To rename an NAG, complete the following steps:

1. Open the Power Virtual Server user interface in IBM Cloud.

2. Click Workspaces in the navigation panel. The Workspaces page is displayed with a list of existing workspaces.

3. Select the workspace that contains the NAG to rename. The "Workspace details" panel is displayed.

4. Click View virtual servers.

5. In the navigation panel, click Networking > Network security groups.

6. Select the Network address groups tab. A list of the existing NAGs is displayed.

7. Click the overflow menu (icon with 3 vertical dots) on the far right of the NAG entry that you want to rename and select Edit. The "Edit network address group details" panel is displayed.

8. Enter a new name for the NAG and click Save.

Deleting an NAG

To delete an NAG, complete the following steps:

1. Open the Power Virtual Server user interface in IBM Cloud.

2. Click Workspaces in the navigation panel. The Workspaces page is displayed with a list of existing workspaces.

3. Select the workspace that contains the NAG to be deleted. The "Workspace details" panel is displayed.

4. Click View virtual servers.

5. In the navigation panel, click Networking > Network security groups.

6. Select the Network address groups tab. A list of the existing NAGs is displayed.

7. Click the overflow menu (icon with 3 vertical dots) on the NAG entry that you want to delete and select Delete. The "Delete network address group" confirmation message box appears.

8. Click Delete to initiate the deletion request. This action cannot be undone.

Creating and managing inbound rules in an NSG

You can manage inbound security rules in an NSG by performing the following operations:

• Creating a rule on an NSG
• Cloning rules on an existing NSG
• Deleting rules from an existing NSG

Creating a rule on an NSG

Rules can be created on NSGs at two points. First, when you are initially creating an NSG, and second, at a later point by revisiting the Network security group details page of an existing NSG. To create rules on NSGs when you are creating the NSG, complete the steps provided in the Creating an NSG with inbound rules and members section.

NSGs are stateless, and since all outbound traffic is automatically permitted, rules must be defined for all return packet that flows into NSG members from other NSGs or NAGs.

To create rules on an existing NSG, complete the following steps:

1. Open the Power Virtual Server user interface in IBM Cloud.

2. Click Workspaces in the navigation panel. The Workspaces page is displayed with a list of existing workspaces.

3. Select the workspace that contains the NSG in which you want to create rules. The "Workspace details" panel is displayed.

4. Click View virtual servers.

5. In the navigation panel, click Networking > Network security groups. The "Network security groups" page is displayed with a list of the existing NSGs on the Network security groups tab.

6. Select the NSG in which you want to create the rule. The "Network security group details" page is displayed.

7. In the Inbound rules section, click Create rule. The "Create rule" panel is displayed.

8. Complete the steps provided in the Creating an NSG with inbound rules and members section.

Cloning rules on an existing NSG

To create an inbound rule with the same configuration as an existing inbound rule, you can clone the rules of an existing NSG. Note that only the rules in an NSG can be cloned and not the members. When you clone an existing rule, all properties such as action (allow or deny), protocol, remote, and source and destination port ranges, are copied to the new rule. The cloning process ensures that all rules in an NSG are transferred when a member is moved from one NSG to another.

You can also customize the cloned properties of a rule to create a different rule efficiently and quickly. To clone an existing rule, complete the following steps:

1. Open the Power Virtual Server user interface in IBM Cloud.

2. Click Workspaces in the navigation panel. The Workspaces page is displayed with a list of existing workspaces.

3. Select the workspace that contains the NSG with the rules that you want to clone. The "Workspace details" panel is displayed.

4. Click View virtual servers.

5. In the navigation panel, click Networking > Network security groups. The 'Network security groups" page is displayed with a list of the existing NSGs on the Network security groups tab.

6. Select the NSG that contains the rule that you want to clone. The "Network security group details" page of the selected NSG is displayed.

7. In the Inbound rules section, select the tab (TCP, UDP, ICMP, or Any) which contains the rule to be cloned.

8. Click the overflow menu (icon with 3 vertical dots) on the rule entry that you want to clone and select Duplicate. The "Create rule" panel is displayed.

9. Click Create rule. The new rule is created with the exact same configuration. You can also create a rule with different configurations by making the necessary changes before you click Create rule.

Deleting rules from an existing NSG

To delete a rule from an existing NSG, complete the following steps:

1. Open the Power Virtual Server user interface in IBM Cloud.

2. Click Workspaces in the navigation panel. The Workspaces page is displayed with a list of existing workspaces.

3. Select the workspace that contains the NSG with the rule that you want to delete. The "Workspace details" panel is displayed.

4. Click View virtual servers.

5. In the navigation panel, click Networking > Network security groups. The "Network security groups" page is displayed with a list of the existing NSGs on the Network security groups tab.

6. Select the NSG with the rule that you want to delete. The "Network security group details" page of the selected NSG is displayed.

7. In the Inbound rules section, select the tab (TCP, UDP, ICMP, or Any) which contains the rule to delete.

8. Click the overflow menu (icon with 3 vertical dots) on the rule entry that you want to clone and select Delete. The "Delete network security group rule" confirmation message box appears.

9. Click Delete to initiate the deletion request. This action cannot be undone.

Adding members to an NSG and managing them

You can manage members that are associated with an NSG by performing the following operations:

• Adding members to a network security group
• Moving members from one NSG to another NSG
• Removing members from a network security group

Adding members to a network security group

You can add members to an NSG to control the inbound network traffic to the associated network interfaces.

Members can be added at two points. First, when you are initially creating an NSG, and second, at a later point by revisiting the Network security group details page of an existing NSG. To add members to an NSG when you are creating it, complete the steps provided in the Creating an NSG with inbound rules and members section.

To add members to an existing NSG, complete the following steps:

1. Open the Power Virtual Server user interface in IBM Cloud.

2. Click Workspaces in the navigation panel. The Workspaces page is displayed with a list of existing workspaces.

3. Select the workspace that contains the NSG for adding members. The "Workspace details" panel is displayed.

4. Click View virtual servers.

5. In the navigation panel, click Networking > Network security groups. The "Network security groups" page is displayed with a list of the existing NSGs on the Network security groups tab.

6. Select the NSG to which you want to add members. The "Network security group details" page of the selected NSG is displayed.

7. In the Members section, click Add member. Existing virtual server instances that are part of the workspace is listed. If virtual servers are not listed, you can create a virtual server by completing the steps provided at Creating an IBM Power Virtual Server.

   A member can only be associated with one network security group at a time.

8. Select the virtual server instance and click Next. All the existing network interfaces that are part of the virtual server instance are displayed.

9. Select one or more network interfaces from the list and click Add member.

10. Click Create.

Moving members from one NSG to another NSG

You can use the Move option to transfer members from one NSG to another NSG in some of the following situations:

• Security policy changes: When security policies or requirements evolve and you need to apply updated rules to specific members without affecting other members in the original NSG.

• Environment segmentation: When you want to isolate certain members during network reconfiguration or restructuring, such as separating development, staging, and production environments. You can move members to different NSGs to achieve member isolation and meet compliance or operational requirements.

• Access control adjustments: When a member requires access to a different set of services or external networks. You can move the member to a new NSG with appropriate rules to ensure the required connectivity and permissions.

• Incident response and troubleshooting: When you respond to cybersecurity incidents or troubleshoot connectivity issues. You can move the affected member to a more restrictive or isolated NSG to contain the security threat and safely test network behavior.

When you move a network interface (member) from one network security group to another, the change is applied instantly and does not require approval. After the member is successfully moved and associated with the new NSG, the rules of the new NSG take effect immediately.

To move a member from one NSG to another NSG, complete the following steps:

1. Open the Power Virtual Server user interface in IBM Cloud.

2. Click Workspaces in the navigation panel. The Workspaces page is displayed with a list of the existing workspaces.

3. Select the workspace that contains the NSG from which you want to move the members. The "Workspace details" panel is displayed.

4. Click View virtual servers.

5. In the navigation panel, click Networking > Network security groups. The "Network security groups" page is displayed with a list of the existing NSGs on the Network security groups tab.

6. Select the NSG from which you want to move the members. The "Network security group details" page of the selected NSG is displayed.

7. In the Members section, click the overflow menu (icon with 3 vertical dots) on the member entry that you want to move and select Move. The "Move network interface" dialog is displayed.

8. From the Target network security group list, select the NSG to which you want to move the member.

9. Click Move network interface.

Removing members from an NSG

To remove members that are associated with an NSG, complete the following steps:

1. Open the Power Virtual Server user interface in IBM Cloud.

2. Click Workspaces in the navigation panel. The Workspaces page is displayed with a list of the existing workspaces.

3. Select the workspace that contains the NSG from which you want to remove the members. The "Workspace details" panel is displayed.

4. Click View virtual servers.

5. In the navigation panel, click Networking > Network security groups. The "Network security groups" page is displayed with a list of the existing NSGs on the Network security groups tab.

6. Select the NSG from which you want to remove the members. The "Network security group details" page of the selected NSG is displayed.

7. In the Members section, click the delete icon against the member entry that you want to remove from the NSG. The "Delete network security group member" confirmation message box appears.

8. Click Delete to initiate the deletion request. This action cannot be undone.

When you remove a network interface or a subnet that is attached to a VM, the NIC is also detached from all associated NSGs.