Attaching Security Groups via VM Extension

[scult]

Hi Guimin,

attaching security groups to VMs via VM extensions doesn't seem to work anymore. Could this have something to do with the new feature to disable inner access? I am fairly sure that it was working during my previous tests.

Can you please take a look?

CPI Version: 18

Example from my cloud config:

vm_extensions:
- cloud_properties:
    security_groups: [sg-uf6i0wd4ev0nm3a9r6bb]
  name: consul-server

[xiaozhu36]

Hi @scult You should use "security_group_ids" not "security_groups", and you can refer to: https://github.com/cloudfoundry/cf-deployment/blob/master/iaas-support/alicloud/cloud-config.yml#L79

[scult]

Thanks for the quick reply @xiaozhu36. I've changed "security_groups" to "security_group_ids", but the behavior is still the same, only the security group as defined in the networks block is attached to the VM but not the security group defined as a VM extension.

Updated cloud config:

vm_extensions:
- cloud_properties:
    security_group_ids: [sg-uf6i0wd4ev0nm3a9r6bb]
  name: consul-server

[xiaozhu36]

HI @scult At present, the CPI does not support configuring security groups in the vm_extensions and them can be set in networks. Does networks configuration meet your requirements?

[scult]

Hi @xiaozhu36 I'll paste my answer from slack here as well, just so it doesn't get lost:

Assigning them via networks isn’t enough. Take a CF deployment for example, most of the VMs are in the same network, but the ports that need to be opened vary between different jobs, so we would need VM extensions to assign different security groups to the different jobs.

[xiaozhu36]

Hi @scult The lastest cpi release 19 has fixed this issue and please check that.