Help Center/ Scalable File Service Turbo/ FAQs/ Others/ Does the Security Group of a VPC Affect the Use of SFS Turbo?

Updated on 2025-09-12 GMT+08:00

View PDF

Does the Security Group of a VPC Affect the Use of SFS Turbo?

A security group is a collection of access control rules for ECSs that have the same security protection requirements and are mutually trusted in a VPC. After a security group is created, you can create different access rules for the security group to protect ECSs that are added to this security group. The default security group rule allows all outgoing data packets. ECSs in a security group can access each other without the need to add rules. The system creates a security group for each cloud account by default. You can also create custom security groups by yourself.

For an SFS Turbo file system, the system automatically enables the security group ports required by NFS after the file system is created. This ensures that the SFS Turbo file system can be successfully mounted to your servers. The inbound ports required by NFS are ports 111, 2049, 2051, 2052, and 20048. The inbound port required by SMB is port 445. If you need to change the enabled ports, go to the VPC console, choose Access Control > Security Groups, locate the target security group, and change the ports. You are advised to use an independent security group for an SFS Turbo file system to isolate it from service nodes.

Example Configuration

Inbound rule

Direction	Protocol	Port Range	Source IP Address		Description
Inbound	TCP and UDP	111	IP Address	0.0.0.0/0 (All IP addresses are allowed. It can be modified.)	One port corresponds to one access rule. You need to add rules for the ports one by one.

Outbound rule

Direction	Protocol	Port Range	Source IP Address		Description
Outbound	TCP and UDP	111	IP Address	0.0.0.0/0 (All IP addresses are allowed. It can be modified.)	One port corresponds to one access rule. You need to add rules for the ports one by one.

Enter an IP address range using a mask. For example, enter 192.168.1.0/24, and do not enter 192.168.1.0-192.168.1.255. If the source IP address is 0.0.0.0/0, all IP addresses are allowed. For more information, see Security Groups and Security Group Rules.

A bidirectional access rule must be configured for port 111. You can configure the IP address range of the SFS Turbo frontend service as the inbound rule. Run ping <file-system-domain-name-or-IP-address> or dig <file-system-domain-name-or-IP-address> to obtain the IP address range.

Add outbound rules for ports 445, 2049, 2051, 2052, and 20048 the same as the outbound rule for port 111.

If NFS is used, add inbound rules for the following ports: 111 (TCP and UDP), 2049 (TCP and UDP), 2051 (TCP), 2052 (TCP), 20048 (UDP and TCP). If UDP is not enabled on port 2049 and 20048, mounting the file system may take a long time. You can use the -o tcp option in the mount command to avoid this issue.

If SMB is used, add an inbound rule for port 445 (TCP).

Parent topic: Others

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot