Overview

Security Group

A security group is a collection of access control rules for ECSs that have the same security protection requirements and that are mutually trusted. After a security group is created, you can create various access rules for the security group, these rules will apply to all ECSs added to this security group.

You can also customize a security group or use the default one. The system provides a default security group for you, which permits all outbound traffic and denies inbound traffic. ECSs in a security group are accessible to each other. For details about the default security group, see Default Security Group and Rules.

If two ECSs are in the same security group but in different VPCs, the security group does not take effect. You can use a VPC peering connection to connect the two VPCs first. For details, see VPC Connectivity.

Security Group Rules

After a security group is created, you can add rules to the security group. A rule applies either to inbound traffic (ingress) or outbound traffic (egress). After ECSs are added to the security group, they are protected by the rules of that group.

Each security group has default rules. For details, see Default Security Group and Rules. You can also customize security group rules. For details, see Configuring Security Group Rules.

Security Group Constraints

• For better network performance, you are advised to associate an instance with no more than five security groups.
• A security group can have no more than 6,000 instances associated, or its performance will deteriorate.
• For inbound security group rules, the sum of the rules with Source set to Security group, the rules with Source set to IP address group, and the rules with inconsecutive ports, cannot exceed 128. Outbound rules also have this restriction.
  • When Source is set to Security group, you can select the current security group or a different security group.
  • An example of inconsecutive ports is 22,25,27.