Help Center/ Cloud Container Engine/ FAQs/ Networking/ Network Planning/ How Can I Configure a Security Group Rule for a Cluster?

Updated on 2025-05-21 GMT+08:00

View PDF

How Can I Configure a Security Group Rule for a Cluster?

CCE is a universal container platform. Its default security group rules apply to common scenarios. When a cluster is created, a security group is automatically created for the master nodes and worker nodes, separately. The name of the master node security group is in the format of {Cluster name}-cce-control-{Random ID}, and that of the worker node security group is in the format of {Cluster name}-cce-node-{Random ID}. For a CCE Turbo cluster, an additional ENI security group, with the name following the format of {Cluster name}-cce-eni-{Random ID}, will be created.

To modify the security group rules, log in to the management console and choose Service List > Networking > Virtual Private Cloud. On the page displayed, choose Access Control > Security Groups in the navigation pane, locate the rpw containing the target security group, and modify the rules.

If you need to specify a node security group when creating a cluster, allow specific ports based on the rules of the default security group automatically created in the cluster to ensure normal communication in your cluster.

You can check the default security group rules of clusters using different network models in:

Security Group Rules in a Cluster That Uses the VPC Network Model
Security Group Rules in a Cluster That Uses the Tunnel Network Model
Security Group Rules in a CCE Turbo Cluster That Uses the Cloud Native 2.0 Network Model

Be careful when modifying or removing security group rules as it could impact the cluster's operation. Avoid modifying the rules for the ports essential to CCE.
When adding a security group rule, ensure that this rule does not conflict with the existing rules. If there is a conflict, existing rules may become invalid, affecting cluster running.

Security Group Rules in a Cluster That Uses the VPC Network Model

Worker node security group

A security group, with a name following the format of {Cluster name}-cce-node-{Random ID}, is automatically created for the worker nodes in a cluster. For details about the default ports, see Table 1.

**Table 1** Default ports in the security group of the worker nodes in a cluster that uses the VPC network model
Direction	Port	Default Source Address	Description	Modification Suggestion	Impact After Modification
Inbound rules	All UDP ports	VPC CIDR block	Allow access between the worker nodes and between the worker nodes and the master nodes.	Modification not recommended	Modifying the configuration can disrupt the cluster functionality.
	All TCP ports	VPC CIDR block		Modification not recommended
	All ICMP ports	Master node security group	Allow the master nodes to access the worker nodes.	Modification not recommended	Modifying the configuration can disrupt the cluster functionality.
	TCP port range: 30000 to 32767	All IP addresses (0.0.0.0/0)	Allow access from the NodePort Services.	Modification made if necessary	The ports must allow traffic from the CIDR blocks of the VPC, container, and load balancer.
	UDP port range: 30000 to 32767	All IP addresses (0.0.0.0/0)	Allow access from the NodePort Services.	Modification made if necessary
	All	Container CIDR block	Allow containers within the cluster to access the nodes.	Modification not recommended	Modifying the configuration can disrupt the cluster functionality.
	All	Worker node security group	Restrict access from outside the worker node security group, but the access between pods in the worker node security group.	Modification not recommended	Modifying the configuration can disrupt the cluster functionality.
	TCP port 22	All IP addresses (0.0.0.0/0)	Allow SSH access to Linux ECSs.	Modification recommended	You are advised to allow access only from fixed IP addresses or IP address ranges.
Outbound rule	All	All IP addresses (0.0.0.0/0)	Allow traffic on all ports by default. You are advised to retain this setting.	Modification made if necessary	If you want to harden security by allowing traffic only on specific ports, remember to allow such ports. For details, see Hardening Outbound Rules.

Master node security group

A security group, with a name following the format of {Cluster name}-cce-control-{Random ID}, is automatically created for the master nodes in a cluster. For details about the default ports, see Table 2.

**Table 2** Default ports in the security group of the master nodes in a cluster that uses the VPC network model
Direction	Port	Default Source Address	Description	Modification Suggestion	Impact After Modification
Inbound rules	TCP port 5444	VPC CIDR block	Allow access from kube-apiserver, which provides lifecycle management for Kubernetes resources.	Modification not recommended	Modifying the configuration can disrupt the cluster functionality.
	TCP port 5444	Container CIDR block		Modification not recommended
	TCP port 9443	VPC CIDR block	Allow the network add-on of the worker nodes to access the master nodes.	Modification not recommended	Modifying the configuration can disrupt the cluster functionality.
	TCP port 5443	All IP addresses (0.0.0.0/0)	Allow kube-apiserver of the master nodes to listen to the worker nodes.	Modification recommended	The port must allow traffic from the CIDR blocks of the VPC, the control plane of the hosted service mesh, and container. NOTE: To use CloudShell, you need to allow traffic from 198.19.0.0/16 on port 5443. Otherwise, you cannot access the cluster using CloudShell.
	TCP port 8445	VPC CIDR block	Allow the storage add-on of the worker nodes to access the master nodes.	Modification not recommended	Modifying the configuration can disrupt the cluster functionality.
	All	Master node security group	Restrict access from outside the master node security group, but the access between pods in the master node security group.	Modification not recommended	Modifying the configuration can disrupt the cluster functionality.
Outbound rule	All	All IP addresses (0.0.0.0/0)	Allow traffic on all ports by default.	Modification not recommended	Modifying the configuration can disrupt the cluster functionality.

Security Group Rules in a Cluster That Uses the Tunnel Network Model

Worker node security group

**Table 3** Default ports in the security group of the worker nodes in a cluster that uses the tunnel network model
Direction	Port	Default Source Address	Description	Modification Suggestion	Impact After Modification
Inbound rules	UDP port 4789	All IP addresses (0.0.0.0/0)	Allow access between containers.	Modification not recommended	Modifying the configuration can disrupt the cluster functionality.
	TCP port 10250	Master node CIDR block	Allow the master nodes to access kubelet on the worker nodes to run commands, for example, kubectl exec {pod}.	Modification not recommended	Modifying the configuration can disrupt the cluster functionality.
	TCP port range: 30000 to 32767	All IP addresses (0.0.0.0/0)	Allow access from the NodePort Services.	Modification made if necessary	The ports must allow traffic from the CIDR blocks of the VPC, load balancer, and container.
	UDP port range: 30000 to 32767	All IP addresses (0.0.0.0/0)	Allow access from the NodePort Services.	Modification made if necessary
	TCP port 22	All IP addresses (0.0.0.0/0)	Allow SSH access to Linux ECSs.	Modification recommended	You are advised to allow access only from fixed IP addresses or IP address ranges.
	All	Worker node security group	Restrict access from outside the worker node security group, but the access between pods in the worker node security group.	Modification not recommended	Modifying the configuration can disrupt the cluster functionality.
Outbound rule	All	All IP addresses (0.0.0.0/0)	Allow traffic on all ports by default. You are advised to retain this setting.	Modification made if necessary	If you want to harden security by allowing traffic only on specific ports, remember to allow such ports. For details, see Hardening Outbound Rules.

Master node security group

**Table 4** Default ports in the security group of the master nodes in a cluster that uses the tunnel network model
Direction	Port	Default Source Address	Description	Modification Suggestion	Impact After Modification
Inbound rules	UDP port 4789	All IP addresses (0.0.0.0/0)	Allow access between containers.	Modification not recommended	Modifying the configuration can disrupt the cluster functionality.
	TCP port 5444	VPC CIDR block	Allow access from kube-apiserver, which provides lifecycle management for Kubernetes resources.	Modification not recommended	Modifying the configuration can disrupt the cluster functionality.
	TCP port 5444	Container CIDR block		Modification not recommended
	TCP port 9443	VPC CIDR block	Allow the network add-on of the worker nodes to access the master nodes.	Modification not recommended	Modifying the configuration can disrupt the cluster functionality.
	TCP port 5443	All IP addresses (0.0.0.0/0)	Allow kube-apiserver of the master nodes to listen to the worker nodes.	Modification recommended	The port must allow traffic from the CIDR blocks of the VPC, the control plane of the hosted service mesh, and container. NOTE: To use CloudShell, you need to allow traffic from 198.19.0.0/16 on port 5443. Otherwise, you cannot access the cluster using CloudShell.
	TCP port 8445	VPC CIDR block	Allow the storage add-on of the worker nodes to access the master nodes.	Modification not recommended	Modifying the configuration can disrupt the cluster functionality.
	All	Master node security group	Restrict access from outside the master node security group, but the access between pods in the master node security group.	Modification not recommended	Modifying the configuration can disrupt the cluster functionality.
Outbound rule	All	All IP addresses (0.0.0.0/0)	Allow traffic on all ports by default.	Modification not recommended	Modifying the configuration can disrupt the cluster functionality.

Security Group Rules in a CCE Turbo Cluster That Uses the Cloud Native 2.0 Network Model

Worker node security group

**Table 5** Default ports in the security group of the worker nodes in a CCE Turbo cluster that uses the Cloud Native 2.0 network model
Direction	Port	Default Source Address	Description	Modification Suggestion	Impact After Modification
Inbound rules	TCP port 10250	Master node CIDR block	Allow the master nodes to access kubelet on the worker nodes to run commands, for example, kubectl exec {pod}.	Modification not recommended	Modifying the configuration can disrupt the cluster functionality.
	TCP port range: 30000 to 32767	All IP addresses (0.0.0.0/0)	Allow access from the NodePort Services.	Modification made if necessary	The ports must allow traffic from the CIDR blocks of the VPC, load balancer, and container.
	UDP port range: 30000 to 32767	All IP addresses (0.0.0.0/0)	Allow access from the NodePort Services.	Modification made if necessary
	TCP port 22	All IP addresses (0.0.0.0/0)	Allow SSH access to Linux ECSs.	Modification recommended	You are advised to allow access only from fixed IP addresses or IP address ranges.
	All	Worker node security group	Restrict access from outside the worker node security group, but the access between pods in the worker node security group.	Modification not recommended	Modifying the configuration can disrupt the cluster functionality.
	All	Container subnet CIDR block	Allow containers within the cluster to access the nodes.	Modification not recommended	Modifying the configuration can disrupt the cluster functionality.
Outbound rule	All	All IP addresses (0.0.0.0/0)	Allow traffic on all ports by default. You are advised to retain this setting.	Modification made if necessary	If you want to harden security by allowing traffic only on specific ports, remember to allow such ports. For details, see Hardening Outbound Rules.

Master node security group

**Table 6** Default ports in the security group of the master nodes in a CCE Turbo cluster that uses the Cloud Native 2.0 network model
Direction	Port	Default Source Address	Description	Modification Suggestion	Impact After Modification
Inbound rules	TCP port 5444	All IP addresses (0.0.0.0/0)	Allow access from kube-apiserver, which provides lifecycle management for Kubernetes resources.	Modification not recommended	Modifying the configuration can disrupt the cluster functionality.
	TCP port 5444	VPC CIDR block		Modification not recommended	Modifying the configuration can disrupt the cluster functionality.
	TCP port 9443	VPC CIDR block	Allow the network add-on of the worker nodes to access the master nodes.	Modification not recommended	Modifying the configuration can disrupt the cluster functionality.
	TCP port 5443	All IP addresses (0.0.0.0/0)	Allow kube-apiserver of the master nodes to listen to the worker nodes.	Modification recommended	The port must allow traffic from the CIDR blocks of the VPC, the control plane of the hosted service mesh, and container. NOTE: To use CloudShell, you need to allow traffic from 198.19.0.0/16 on port 5443. Otherwise, you cannot access the cluster using CloudShell.
	TCP port 8445	VPC CIDR block	Allow the storage add-on of the worker nodes to access the master nodes.	Modification not recommended	Modifying the configuration can disrupt the cluster functionality.
	All	Master node security group	Restrict access from outside the master node security group, but the access between pods in the master node security group.	Modification not recommended	Modifying the configuration can disrupt the cluster functionality.
	All	Container subnet CIDR block	Allow traffic from all source IP addresses in the container subnet CIDR block.	Modification not recommended	Modifying the configuration can disrupt the cluster functionality.
Outbound rule	All	All IP addresses (0.0.0.0/0)	Allow traffic on all ports by default.	Modification not recommended	Modifying the configuration can disrupt the cluster functionality.

ENI security group

In a CCE Turbo cluster, an additional security group, with the name following the format of {Cluster name}-cce-eni-{Random ID}, is created. By default, containers in the cluster are bound to this security group. For details about the default ports, see Table 7.

**Table 7** Default ports of the ENI security group in a CCE Turbo cluster that uses the Cloud Native 2.0 network model
Direction	Port	Default Source Address	Description	Modification Suggestion	Impact After Modification
Inbound rules	All	ENI security group	Allow containers within the cluster to access each other.	Modification not recommended	Modifying the configuration can disrupt the cluster functionality.
Inbound rules	All	VPC CIDR block	Allow instances in the cluster VPC to access the containers.	Modification not recommended	Modifying the configuration can disrupt the cluster functionality.
Outbound rule	All	All IP addresses (0.0.0.0/0)	Allow traffic on all ports by default.	Modification not recommended	Modifying the configuration can disrupt the cluster functionality.

Hardening Outbound Rules

By default, all security groups created by CCE allow all the outbound traffic. You are advised to retain this configuration. To harden outbound rules, ensure that the traffic on the ports listed in the following table is allowed.

**Table 8** Minimum configurations of outbound security group rules for the worker nodes
Port	Allowed CIDR	Description
TCP port 53	DNS server of the subnet	Allow traffic on the port for domain name resolution.
UDP port 53	DNS server of the subnet	Allow traffic on the port for domain name resolution.
TCP port 5353	Container CIDR block	Allow traffic on the port for CoreDNS domain name resolution.
UDP port 5353	Container CIDR block
UDP port 4789 (required only by clusters that use the tunnel networks)	All IP addresses	Allow access between containers.
TCP port 5443	Master node CIDR block	Allow kube-apiserver of the master nodes to listen to the worker nodes.
TCP port 5444	CIDR blocks of the VPC and containers	Allow access from kube-apiserver, which provides lifecycle management for Kubernetes resources.
TCP port 6443	Master node CIDR block	None
TCP port 8445	VPC CIDR block	Allow the storage add-on of the worker nodes to access the master nodes.
TCP port 9443	VPC CIDR block	Allow the network add-on of the worker nodes to access the master nodes.
All ports	198.19.128.0/17	Allow access to VPC Endpoint (VPCEP).
UDP port 123	100.125.0.0/16	Allow the worker nodes to access the internal NTP server.
TCP port 443	100.125.0.0/16	Allow the worker nodes to access OBS over internal networks to pull the installation package.
TCP port 6443	100.125.0.0/16	Allow the worker nodes to report that the worker nodes have been installed.

Parent Topic: Network Planning

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot