Help Center/ Bare Metal Server/ User Guide/ Security/ Security Group/ Overview
Updated on 2026-03-23 GMT+08:00
View PDF

Overview

Security Group

A security group is a collection of access control rules for instances, such as cloud servers, containers, and databases, that have the same security requirements and that are mutually trusted within a VPC. You can define different access control rules for a security group. These rules are applied to all the instances added to this security group.

When creating an instance (for example, a BMS), you must associate it with a security group. If no security group has been created yet, a default security group will be created and associated with the instance. You can also create a security group based on service requirements and associate it with the instance. An instance can be associated with multiple security groups, and traffic to and from the instance is matched by priority in a descending order.

Each security group can have both inbound and outbound rules. You need to specify the source, port, and protocol for each inbound rule and specify the destination, port, and protocol for each outbound rule to control the inbound and outbound traffic to and from the instances in the security group. As shown in Figure 1, you have a VPC (VPC-A) with a subnet (Subnet-A) in region A. An ECS (ECS-A) is running in Subnet-A and associated with security group Sg-A.
  • Security group Sg-A has a custom inbound rule that allows ICMP traffic, so ping requests are allowed from your PC to ECS-A. However, the security group does not have rules that allow SSH traffic, so you cannot remotely log in to ECS-A from your PC.
  • ECS-A has an EIP bound and the outbound rule of Sg-A allows all outbound traffic from ECS-A, so ECS-A can access the Internet.
Figure 1 Security group architecture

Security groups are free of charge.

Security Group Rules

  • A security group has inbound and outbound rules to control traffic to or from instances associated with the security group.
    • Inbound rules: control traffic to the instances in a security group.
    • Outbound rules: control traffic from the instances in a security group to access external networks.
  • You can specify information such as the protocol, port, source or destination for a security group rule. The following describes key information about a security group rule.
    • Action: Allow or Deny. If the protocol, port, and source or destination of the traffic matches a security group rule, the action defined in the rule will be taken to allow or deny the traffic.
    • Priority: The value ranges from 1 to 100. A smaller value indicates a higher priority. Security group rules are matched first by priority and then by action. Deny rules take precedence over allow rules.
    • Type: IPv4 or IPv6.
    • Protocol & Port: network protocol type and port range.
      • Protocol: the protocol that is used to match traffic. The protocol can be TCP, UDP, ICMP, or GRE.
        • TCP is ideal for applications that require reliable connections and high data integrity, such as remote login, web browsing, email, and file transfers.
        • UDP is ideal for applications demanding high speed and low latency, such as online gaming and video meetings.
        • ICMP is used to communicate data transmission problems. For example, the ping command can be used to check the connectivity between network devices, error reports can be generated for O&M, and diagnosis information can be transmitted for network analysis and optimization.
        • GRE is a versatile protocol that can be used to encapsulate and transmit data from different network protocols, such as IP packets, for cross-network transmission.
      • Port: the destination port range that is used to match traffic. The value ranges from 1 to 65535.
    • Source or Destination: source address of traffic in the inbound direction or destination address of traffic in the outbound direction.
      The source or destination can be an IP address, security group, or IP address group.
      • IP address: an IPv4/IPv6 address or IPv4/IPv6 CIDR block, for example, 192.168.10.10/32 (IPv4 address), 192.168.1.0/24 (IPv4 CIDR block), or 2407:c080:802:469::/64 (IPv6 CIDR block).
      • Security group: In a given region, if security group A allows/denies traffic from or to security group B over a private network, the rule applies to all instances in security group B. For example, if there is an instance in security group A, and its security group allows traffic from security group B, then all instances in group B can access all the instances in group A over a private network.
      • IP address group: If you have multiple IP addresses with the same security requirements, you can add them to an IP address group and select this IP address group when you configure a rule. This makes access control management easier.

Constraints on Using Security Groups

  • For better network performance, you are advised to associate an instance with no more than five security groups.
  • A security group can have no more than 6,000 instances associated, or its performance will deteriorate.
  • For inbound rules of a security group, the sum of the rules with Source set to Security group, of the rules with Source set to IP address group, and of the rules with inconsecutive ports, cannot exceed 120. Excess rules will not take effect. IPv4 and IPv6 security group rules are counted separately, with up to 120 rules allowed for each.

    The constraints on outbound security group rules are the same as those on inbound rules.

    For example, to add inbound IPv4 rules to a security group (Sg-A), you can refer to Table 1 for rules that meet the constraints. Of these rules, rule A02 uses inconsecutive ports and uses security group Sg-B as the source. In this case, only one quota is occupied.

    Table 1 Example of inbound security group rules

    Rule No.

    Action

    Type

    Protocol & Port

    Source Address

    Rule A01

    Allow

    IPv4

    All

    Security group: Sg-A

    Rule A02

    Allow

    IPv4

    TCP: 22,25,27

    Security group: Sg-B

    Rule A03

    Allow

    IPv4

    TCP: 80-82

    IP address group: ipGroup-A

    Rule A04

    Allow

    IPv4

    TCP: 22-24,25

    IP address: 192.168.0.0/16

Recommendations

  • Instances in a security group deny all external access requests by default, but you can add rules to allow specific requests.
  • When adding a security group rule, follow the Principle of Least Privilege (PoLP). For example, only allow specific IP addresses to log in to a cloud server over port 22. Do not use 0.0.0.0/0 (all IP addresses).
  • Keep the rules in a single security group simple and use different security groups to manage instances with different purposes. Using a single security group for all instances can lead to redundant, overly complex rules, making the configuration harder to maintain and manage.
  • You can add instances to different security groups based on their functions. For example, if you want to provide website services accessible from the Internet, you can add the web servers to a security group configured for that specific purpose and only allow external access over specific ports, such as 80 and 443. By default, other external access requests are denied. Do not run internal services, such as MySQL or Redis, on web servers that provide services accessible from the Internet. Deploy internal services on servers that do not need to connect to the Internet and associate these servers with security groups specifically configured for that purpose.
  • If you have multiple IP addresses with the same security requirements, you can add them to an IP address group and select this IP address group when you configure a rule. If an IP address changes, updating it in the group automatically applies the change to all associated rules. This makes security group management easier and more efficient. For details, see Using IP Address Groups to Reduce the Number of Security Group Rules.
  • Do not modify in-use security group rules directly. Before you modify such a security group rule, you are advised to clone the security group and modify the rule in a test environment to ensure that the modified rule works. For details, see Cloning a Security Group.
  • After you add instances to or modify rules of a security group, the security group rules are applied automatically. There is no need to restart the instances.

    If a security group rule does not take effect after being configured, see Why Are My Security Group Rules Not Working?

Parent topic: Security Group