Security Group Examples
- Remotely Logging In to an ECS from a Local Server
- Remotely Connecting to an ECS from a Local Server to Upload or Download FTP Files
- Setting Up a Website on an ECS to Provide Services Externally
- Using ping Command to Verify Network Connectivity
- Enabling Communications Between Instances in Different Security Groups
- Allowing External Instances to Access the Database Deployed on an ECS
- Allowing ECSs to Access Specific External Websites
If your security group rules are not applied, submit a service ticket.
Precautions
Note the following before configuring security group rules:
- Instances associated with different security groups are isolated from each other by default.
- Generally, a security group denies all external requests by default.
You need to add inbound rules to allow specific traffic to the instances in the security group.
- By default, outbound security group rules allow all requests from the instances in the security group to access external resources.
If outbound rules are deleted, the instances in the security group cannot communicate with external resources. To allow outbound traffic, you need to add outbound rules by referring to Table 1.
Table 1 Default outbound rules in a security group Direction
Priority
Action
Type
Protocol & Port
Destination
Description
Outbound
1
Allow
IPv4
All
0.0.0.0/0
Allows the instances in the security group to access any IPv4 address over any port.
Outbound
1
Allow
IPv6
All
::/0
Allows the instances in the security group to access any IPv6 address over any port.
Remotely Logging In to an ECS from a Local Server
A security group denies all external requests by default. To remotely log in to an ECS in a security group from a local server, add an inbound rule based on the OS running on the ECS.
- To remotely log in to a Linux ECS using SSH, enable port 22. For details, see Table 2.
- To remotely log in to a Windows ECS using RDP, enable port 3389. For details, see Table 3.
Table 2 Remotely logging in to a Linux ECS using SSH Direction
Priority
Action
Type
Protocol & Port
Source
Inbound
1
Allow
IPv4
TCP: 22
IP address: 0.0.0.0/0
Table 3 Remotely logging in to a Windows ECS using RDP Direction
Priority
Action
Type
Protocol & Port
Source
Inbound
1
Allow
IPv4
TCP: 3389
IP address: 0.0.0.0/0
If the source is set to 0.0.0.0/0, all external IP addresses are allowed to remotely log in to the ECS. To ensure network security and prevent service interruptions caused by network intrusions, set the source to a known IP address. For details, see Table 4.
Remotely Connecting to an ECS from a Local Server to Upload or Download FTP Files
By default, a security group denies all external requests. If you need to remotely connect to an ECS from a local server to upload or download files, you need to enable FTP ports 20 and 21.
Direction |
Priority |
Action |
Type |
Protocol & Port |
Source |
---|---|---|---|---|---|
Inbound |
1 |
Allow |
IPv4 |
TCP: 20-21 |
IP address: 0.0.0.0/0 |
- If the source is set to 0.0.0.0/0, all external IP addresses are allowed to remotely log in to the ECS to upload or download files. To ensure network security and prevent service interruptions caused by network intrusions, set the source to a known IP address. For details, see Table 6.
- You must first install the FTP server program on the ECSs and check whether ports 20 and 21 are working properly.
Setting Up a Website on an ECS to Provide Services Externally
A security group denies all external requests by default. If you have set up a website on an ECS that can be accessed externally, you need to add an inbound rule to the ECS security group to allow access over specific ports, such as HTTP (80) and HTTPS (443).
Direction |
Priority |
Action |
Type |
Protocol & Port |
Source |
---|---|---|---|---|---|
Inbound |
1 |
Allow |
IPv4 |
TCP: 80 |
IP address: 0.0.0.0/0 |
Inbound |
1 |
Allow |
IPv4 |
TCP: 443 |
IP address: 0.0.0.0/0 |
Using ping Command to Verify Network Connectivity
Ping works by sending an Internet Control Message Protocol (ICMP) Echo Request. To ping an ECS from your PC to verify the network connectivity, you need to add an inbound rule to the security group of the ECS to allow ICMP traffic.
Direction |
Priority |
Action |
Type |
Protocol & Port |
Source |
---|---|---|---|---|---|
Inbound |
1 |
Allow |
IPv4 |
ICMP: All |
IP address: 0.0.0.0/0 |
Inbound |
1 |
Allow |
IPv6 |
ICMP: All |
IP address: ::/0 |
Enabling Communications Between Instances in Different Security Groups
Instances in the same VPC but associated with different security groups cannot communicate with each other. If you want ECSs in security group sg-A to access MySQL databases in security group sg-B, you need to add an inbound rule to security group sg-B to allow access from ECSs in security group sg-A.
Direction |
Priority |
Action |
Type |
Protocol & Port |
Source |
---|---|---|---|---|---|
Inbound |
1 |
Allow |
IPv4 |
TCP: 3306 |
Security group: sg-A |
In How Security Groups Are Used, ECSs in Subnet-A and Subnet-B are connected by a virtual IP address. If you set the source of inbound rules to the security groups associated with the ECSs, the ECSs in the two security groups cannot communicate with each other. To enable communications, set the source to the private IP address or subnet CIDR block of the virtual IP address.
Allowing External Instances to Access the Database Deployed on an ECS
- MySQL: port 3306
- Oracle: port 1521
- MS SQL: port 1433
- PostgreSQL: port 5432
- Redis: port 6379
Direction |
Priority |
Action |
Type |
Protocol & Port |
Source |
Description |
---|---|---|---|---|---|---|
Inbound |
1 |
Allow |
IPv4 |
TCP: 3306 |
Security group: sg-A |
Allows the ECSs in security group sg-A to access the MySQL database service. |
Inbound |
1 |
Allow |
IPv4 |
TCP: 1521 |
Security group: sg-B |
Allows the ECSs in security group sg-B to access the Oracle database service. |
Inbound |
1 |
Allow |
IPv4 |
TCP: 1433 |
IP address: 172.16.3.21/32 |
Allows the ECS whose private IP address is 172.16.3.21 to access the MS SQL database service. |
Inbound |
1 |
Allow |
IPv4 |
TCP: 5432 |
IP address: 192.168.0.0/24 |
This rule allows ECSs whose private IP addresses are in the 192.168.0.0/24 network to access the PostgreSQL database service. |
Inbound |
1 |
Allow |
IPv4 |
TCP: 6379 |
IP address group: ipGroup-A |
Allows ECSs whose private IP addresses are in IP address group ipGroup-A to access the Redis database service. |
In this example, the source is for reference only. Set the source address based on your requirements.
Allowing ECSs to Access Specific External Websites
By default, a security group allows all outbound traffic. Table 12 lists the default rules. If you want to allow ECSs to access specific websites, configure the security group as follows:
- Add outbound rules to allow traffic over specific ports to specific IP addresses.
Table 11 Allowing ECSs to access specific external websites Direction
Priority
Action
Type
Protocol & Port
Destination
Description
Outbound
1
Allow
IPv4
TCP: 80
IP address: 132.15.XX.XX
Allows ECSs in the security group to access the external website at http://132.15.XX.XX:80.
Outbound
1
Allow
IPv4
TCP: 443
IP address: 145.117.XX.XX
Allows ECSs in the security group to access the external website at https://145.117.XX.XX:443.
- Delete the original outbound rules that allow all traffic.
Table 12 Default outbound rules in a security group Direction
Priority
Action
Type
Protocol & Port
Destination
Description
Outbound
1
Allow
IPv4
All
0.0.0.0/0
Allows the instances in the security group to access any IPv4 address over any port.
Outbound
1
Allow
IPv6
All
::/0
Allows the instances in the security group to access any IPv6 address over any port.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.