Security Group

A security group is a collection of access control rules for ECSs that have the same security protection requirements and are mutually trusted within a VPC. After a security group is created, you can create different access rules for the security group, these rules will apply to any ECS that the security group contains.

Your account automatically comes with a default security group. The default security group allows all outbound traffic, denies all inbound traffic, and allows all traffic between ECSs in the group. Your ECSs in this security group can communicate with each other already without adding additional rules. You can directly use the default security group. For details, see Default Security Groups and Security Group Rules.

You can also create custom security groups to meet your specific service requirements. For details, see Creating a Security Group.

Security Group Basics

• Instances, such as servers and extension NICs, can be associated with one or more security groups.

  You can change the security groups that are associated with instances, such as servers or extension NICs. By default, when you create an instance, it is associated with the default security group of its VPC unless you specify another security group.

• Security group rules need be added to allow instances in the same security group to communicate with each other.

  Only an IPv4 address with the /32 prefix length or an IPv6 address with the /128 prefix length can be specified when you add a security group rule. For details about how to change the security group for an instance, see Adding Instances to and Removing Them from a Security Group.

• Security groups are stateful. If you send a request from your instance and the outbound traffic is allowed, the response traffic for that request is allowed to flow in regardless of inbound security group rules. Similarly, if inbound traffic is allowed, responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules.

  Security groups use connection tracking to track traffic to and from instances that they contain and security group rules are applied based on the connection status of the traffic to determine whether to allow or deny traffic. If a security group rule is added, deleted, or modified, or an instance in the security group is created or deleted, the connection tracking of all instances in the security group will be automatically cleared. In this case, the inbound or outbound traffic of the instance is considered as new connections, which need to match the inbound or outbound security group rules to ensure that the rules take effect immediately and the security of incoming traffic.

  In addition, if the inbound or outbound traffic of an instance has no packets for a long time, the traffic is considered as new connections after the connection tracking times out, and the connections need to match the outbound and inbound rules. The timeout period of connection tracking varies according to the protocol. The timeout period of a TCP connection in the established state is 600s, and the timeout period of an ICMP connection is 30s. For other protocols, if packets are received in both directions, the connection tracking timeout period is 180s. If one or more packets are received in one direction but no packet is received in the other direction, the connection tracking timeout period is 30s. For protocols other than TCP, UDP, and ICMP, only the IP address and protocol number are tracked.

If two ECSs are in the same security group but in different VPCs, the ECSs cannot communicate with each other. To enable communications between the ECSs, use a VPC peering connection to connect the two VPCs first. For details about VPC connectivity, see Application Scenarios.

Security Group Rules

After a security group is created, you can add rules to the security group. A rule applies either to inbound traffic or outbound traffic. After ECSs are added to the security group, they are protected by the rules of that group.

A security group rule consists of:

• Source (inbound rule) or Destination (outbound rule): The value can be an IP address (such as 192.168.10.10/32), IP address range (such as 192.168.52.0/24), or a security group (such as sg-abc).
• Protocol & Port: The value of ports can be individual ports (such as 22), consecutive ports (such as 22-30), ports and port ranges (20,23-30), all ports (1-65535). The protocol can be TCP, UDP, HTTP, and others.
• Source: The value can be a single IP address, an IP address group, or a security group.
• Type: IPv4 or IPv6 This parameter is available after the IPv6 function is enabled.
• Description: Supplementary information about the security group rule.

Each security group has default rules. You can also customize security group rules. For details, see Adding a Security Group Rule.

Security Group Template

You can select one of the following security group templates provided by the system to quickly create a security group with default rules.

• General-purpose web server: The security group that will be created using this template is for general-purpose web servers and includes default rules that allow all inbound ICMP traffic and allow inbound traffic on ports 22, 80, 443, and 3389.
• All ports open: The security group that will be created using this template includes default rules that allow inbound traffic on any port. Allowing inbound traffic on any port may pose security risks.
• Custom: The security group that will be created using this template includes default rules that deny inbound traffic on any port. You can add or modify security group rules as required after the security group is created.

Security Group Configuration Process

Figure 1 Process for configuring a security group

Security Group Constraints

• By default, you can create up to 100 security groups in your cloud account.
• By default, each security group can have up to 50 security group rules.
• By default, an ECS or an ECS extension NIC can be added to a maximum of five security groups.
• A maximum of 20 instances can be added to a security group at a time.
• A security group can be associated with a maximum of 1000 instances.

Suggestions

When using a security group:

• Do not add all instances to the same security group if they have different isolation requirements.
• Creating a security group for each instance is not necessary. Instead, you can add instances with the same security requirements to the same security group.