Help Center/ Elastic Cloud Server/ User Guide/ Security/ Security Groups/ Overview
Updated on 2024-11-14 GMT+08:00
View PDF

Overview

Security Group

A security group is a collection of access control rules for ECSs that have the same security protection requirements and that are mutually trusted. After a security group is created, you can create various access rules for the security group, these rules will apply to all ECSs added to this security group.

You can also customize a security group or use the default one. The system provides a default security group for you, which permits all outbound traffic and denies inbound traffic. ECSs in a security group are accessible to each other. For details about the default security group, see Default Security Groups and Rules.

If two ECSs are in the same security group but in different VPCs, the security group does not take effect. You can use a VPC peering connection to connect the two VPCs first. For details, see VPC Connectivity Options.

Security Group Rules

After a security group is created, you can add rules to the security group. A rule applies either to inbound traffic (ingress) or outbound traffic (egress). After ECSs are added to the security group, they are protected by the rules of that group.

Each security group has default rules. For details, see Default Security Groups and Rules. You can also customize security group rules. For details, see Configuring Security Group Rules.

Notes and Constraints

  • For better network performance, you are advised to associate an instance with no more than five security groups.
  • A security group can have no more than 6,000 instances associated, or its performance will deteriorate.
  • For inbound security group rules, the sum of the rules with Source set to Security group, of the rules with Source set to IP address group, and of the rules with inconsecutive ports, cannot exceed 120. If there are both IPv4 and IPv6 security group rules, up to 120 rules can be added for each type.

    The limits on outbound security group rules are the same as those on inbound rules.

    For example, to add inbound IPv4 rules to a security group (Sg-A), you can refer to Table 1 for rules that meet the restrictions. Of these rules, rule A02 uses inconsecutive ports (TCP: 22,25,27) and security group Sg-B as the source. In this case, only one quota is occupied.

    Table 1 Inbound security group rules

    Rule No.

    Action

    Type

    Protocol & Port

    Source

    Rule A01

    Allow

    IPv4

    All

    Current security group: Sg-A

    Rule A02

    Allow

    IPv4

    TCP: 22,25,27

    Another security group: Sg-B

    Rule A03

    Allow

    IPv4

    TCP: 80-82

    IP address group: ipGroup-A

    Rule A04

    Allow

    IPv4

    TCP: 22-24,25

    IP address: 192.168.0.0/16
  • Traffic from load balancers is not restricted by network ACL and security group rules if:

    Transfer Client IP Address is enabled for the listener of a load balancer.

    The load balancer can still forward traffic to backend servers, even if there is a rule that denies traffic from the load balancer to the backend servers.

Parent topic: Security Groups