Help Center> Virtual Private Cloud> User Guide> Security> Security Group> Adding a Security Group Rule
View PDF

Adding a Security Group Rule

Scenarios

After a security group is created, you can add rules to the security group. A rule applies either to inbound traffic or outbound traffic. After ECSs are added to the security group, they are protected by the rules of that group.

  • Inbound rules control incoming traffic to ECSs associated with the security group.
  • Outbound rules control outgoing traffic from ECSs associated with the security group.

For details about the default security group rules, see Default Security Groups and Security Group Rules. For details about security group rule configuration examples, see Security Group Configuration Examples.

Prerequisites

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner and select the desired region and project.
  3. On the console homepage, under Network, click Virtual Private Cloud.
  4. In the navigation pane on the left, choose Access Control > Security Groups.
  5. On the Security Groups page, locate the target security group and click Manage Rule in the Operation column to switch to the page for managing inbound and outbound rules.
  6. On the Inbound Rules tab, click Add Rule. In the displayed dialog box, set required parameters to add an inbound rule.
    You can click + to add more inbound rules.
    Figure 1 Add Inbound Rule
    Table 1 Inbound rule parameter description

    Parameter

    Description

    Example Value

    Protocol & Port

    Protocol: The network protocol. Currently, the value can be All, TCP, UDP, ICMP, GRE, or others.

    TCP

    Port: The port or port range over which the traffic can reach your ECS. The value ranges from 1 to 65535. For common ports, see Common Ports Used by ECSs.

    22, or 22-30

    Type
    The IP address type. This parameter is available after the IPv6 function is enabled.
    • IPv4
    • IPv6

    IPv4

    Source
    The source of the security group rule. The value can be a single IP address, an IP address group, or a security group to allow access from the IP address or instances in the security group. For example:
    • xxx.xxx.xxx.xxx/32 (IPv4 address)
    • xxx.xxx.xxx.0/24 (IP address range)
    • 0.0.0.0/0 (all IP addresses)
    • sg-abc (security group)

    For more information about IP address groups, see IP Address Group Overview.

    0.0.0.0/0

    Description

    Supplementary information about the security group rule. This parameter is optional.

    The security group rule description can contain a maximum of 255 characters and cannot contain angle brackets (< or >).

    N/A
  7. On the Outbound Rules tab, click Add Rule. In the displayed dialog box, set required parameters to add an outbound rule.
    You can click + to add more outbound rules.
    Figure 2 Add Outbound Rule
    Table 2 Outbound rule parameter description

    Parameter

    Description

    Example Value

    Protocol & Port

    Protocol: The network protocol. Currently, the value can be All, TCP, UDP, ICMP, GRE, or others.

    TCP

    Port: The port or port range over which the traffic can leave your ECS. The value ranges from 1 to 65535. For common ports, see Common Ports Used by ECSs.

    22, or 22-30

    Type
    The IP address type. This parameter is available after the IPv6 function is enabled.
    • IPv4
    • IPv6

    IPv4

    Destination
    The destination of the security group rule. The value can be a single IP address, an IP address group, or a security group to allow access to the IP address or instances in the security group. For example:
    • xxx.xxx.xxx.xxx/32 (IPv4 address)
    • xxx.xxx.xxx.0/24 (IP address range)
    • 0.0.0.0/0 (all IP addresses)
    • sg-abc (security group)

    For more information about IP address groups, see IP Address Group Overview.

    0.0.0.0/0

    Description

    Supplementary information about the security group rule. This parameter is optional.

    The security group rule description can contain a maximum of 255 characters and cannot contain angle brackets (< or >).

    N/A
  8. Click OK.

Verification

After required security group rules are added, you can verify that the rules take effect. For example, you have deployed a website on ECSs. Users need to access your website over TCP (port 80), and you have added the security group rule shown in Table 3.

Table 3 Security group rule

Direction

Protocol

Port

Source

Inbound

TCP

80

0.0.0.0/0

Linux ECS

To verify the security group rule on a Linux ECS:

  1. Log in to the ECS.
  2. Run the following command to check whether TCP port 80 is listened: 
    netstat -an | grep 80

    If command output shown in Figure 3 is displayed, TCP port 80 is listened.

    Figure 3 Command output for the Linux ECS
  3. Enter http://ECS EIP in the address box of the browser and press Enter.

    If the requested page can be accessed, then the security group rule has taken effect.

Windows ECS

To verify the security group rule on a Windows ECS:

  1. Log in to the ECS.
  2. Choose Start > Accessories > Command Prompt.
  3. Run the following command to check whether TCP port 80 is listened: 
    netstat -an | findstr 80

    If command output shown in Figure 4 is displayed, TCP port 80 is listened.

    Figure 4 Command output for the Windows ECS
  4. Enter http://ECS EIP in the address box of the browser and press Enter.

    If the requested page can be accessed, then the security group rule has taken effect.

Related Operations

Allow Common Ports

You can click Allow Common Ports to allow traffic on some common ports, such as port 21, 22, 3389, 80, 443, and 20.

Figure 5 Allow Common Ports

Helpful Links

Parent topic: Security Group