Security Group Examples

Precautions

Note the following before configuring security group rules:

• Instances associated with different security groups are isolated from each other by default.
• Generally, a security group denies all external requests by default.

  If required, you can add inbound rules to allow specific traffic to access the instances in the security group.

• By default, outbound security group rules allow all requests from the instances in the security group to access external resources.
  If outbound rules are deleted, the instances in the security group cannot communicate with external resources. To allow outbound traffic, you need to add outbound rules by referring to Table 1.

  Table 1 Default outbound rules in a security group

  Direction	Priority	Action	Type	Protocol & Port	Destination	Description
  Outbound	1	Allow	IPv4	All	0.0.0.0/0	Allows the instances in the security group to access any IPv4 address over any port.
  Outbound	1	Allow	IPv6	All	::/0	Allows the instances in the security group to access any IPv6 address over any port.

Allowing Traffic from Given IP Addresses or Security Groups

In Figure 1, there are two subnets (Subnet-A and Subnet-B) in VPC-X. ECSs in Subnet-A are associated with Sg-A because these ECSs are used to run the same services and have the same network communication requirements. Similarly, ECSs in Subnet-B are associated with security group Sg-B.

• Inbound rule A01 of Sg-A allows traffic from IP addresses in 172.16.0.0/24 to access SSH port 22 of the ECSs in Sg-A for remotely logging in to these ECSs.
• Inbound rule A02 of Sg-A allows the ECSs in this security group to communicate with each other using any protocol and port.
• Inbound rule B01 of Sg-B allows the ECSs in Sg-A to access SSH port 22 of the ECSs in Sg-B for remotely logging in to the ECSs in Subnet-B.
• Inbound rule B02 of Sg-B allows the ECSs in this security group to communicate with each other using any protocol and port.
• The outbound rules of both security groups allow all traffic from the ECSs in the security groups.

Figure 1 Allowing traffic from given IP addresses and security groups

Allowing Traffic from a Virtual IP Address

If you use an intermediate network instance to forward traffic between instances in different subnets, setting the source of the inbound rule to the security group associated with the peer instance does not allow the instances to communicate with each other. To enable communications, set the source to the private IP address or subnet CIDR block of the intermediate network instance. For example, to connect ECSs in Subnet-A and Subnet-B as described in the second security group example in Figure 2, set the source of the inbound rule to the virtual IP address.

In Figure 2, VPC-X has two subnets: Subnet-A and Subnet-B. ECSs in Subnet-A are associated with security group Sg-A, and ECSs in Subnet-B are associated with security group Sg-B. ECS-A01 and ECS-A02 work in active/standby mode, forming a Keepalived HA cluster. The ECSs use a virtual IP address to communicate with external networks.

• Inbound rule A01 of Sg-A allows ECSs in Sg-B to access ECSs in Sg-A using any protocol over any port.
• Sg-B has the following inbound rules:
  • Rule B02: Allows ECSs in Sg-A to use private IP addresses to access ECSs in Sg-B. However, in this network, ECSs in Sg-A are supposed to communicate with ECSs in Sg-B through virtual IP address 192.168.0.21. However, rule B02 does not allow traffic from this virtual IP address.
  • Rule B01: Allows traffic from virtual IP address 192.168.0.21 to ECSs in Sg-B using any protocol over port. In this networking, you can also set the source to 192.168.0.0/24, the CIDR block of Subnet-A.

Figure 2 Allowing traffic from a virtual IP address

Allowing Communications Between Instances in Two VPCs Connected by a VPC Peering Connection

In Figure 3, VPC-A and VPC-B in region A are connected by VPC peering connection peering-AB. After routes are configured for the VPC peering connection, Subnet-A01 and Subnet-B01 can communicate with each other. However, the ECSs in the two subnets are associated with different security groups. To allow ECSs in Sg-A and Sg-B to communicate with each other, you can add the following rules:

• Rule A01 with Source to Sg-B to allow ECSs in Sg-B to access ECSs in Sg-A.
• Rule B01 with Source to Sg-A to allow ECSs in Sg-A to access ECSs in Sg-B.

Figure 3 Allowing communications between ECSs in two VPCs connected by a VPC peering connection

Remotely Logging In to an ECS from a Local Server

A security group denies all external requests by default. To remotely log in to an ECS from a local server, add an inbound security group rule based on the OS running on the ECS.

• To remotely log in to a Linux ECS using SSH, enable the SSH port (22). For details, see Table 2.
• To remotely log in to a Windows ECS using RDP, enable the RDP port (3389). For details, see Table 3.

  Table 2 Remotely logging in to a Linux ECS using SSH

  Direction	Priority	Action	Type	Protocol & Port	Source
  Inbound	1	Allow	IPv4	TCP: 22	IP address: 0.0.0.0/0

  Table 3 Remotely logging in to a Windows ECS using RDP

  Direction	Priority	Action	Type	Protocol & Port	Source
  Inbound	1	Allow	IPv4	TCP: 3389	IP address: 0.0.0.0/0

• If the source is set to 0.0.0.0/0, all external IP addresses are allowed to remotely log in to the ECS. To ensure network security and prevent service interruptions caused by network intrusions, set the source to a trusted IP address. For details, see Table 4.

  Table 4 Remotely logging in to an ECS using a specified IP address

  ECS	Direction	Priority	Action	Type	Protocol & Port	Source
  Linux ECS	Inbound	1	Allow	IPv4	TCP: 22	IP address: 192.168.0.0/24
  Windows ECS	Inbound	1	Allow	IPv4	TCP: 3389	IP address: 10.10.0.0/24

Remotely Connecting to an ECS from a Local Server to Upload or Download Files over FTP

Security groups deny all external requests by default. If you need to remotely connect to an ECS from a local server to upload or download files over FTP, you need to enable FTP connections on ports 20 and 21.

If the source is set to 0.0.0.0/0, all external IP addresses are allowed to remotely log in to the ECS to upload or download files. To ensure network security and prevent service interruptions caused by network intrusions, set the source to a trusted IP address. For details, see Table 6.

Setting Up a Website on an ECS to Provide Internet-Accessible Services

A security group denies all external requests by default. If you set up a website on an ECS to allow access from the Internet, you need to add an inbound rule to the ECS security group to allow access over specific ports, such as HTTP (80) and HTTPS (443).

Using ping Command to Verify Network Connectivity

Security groups deny all external requests by default. If you need to ping something from an ECS to verify network connectivity, add an inbound rule to the ECS security group to allow access using ICMP.

Enabling Communications Between Instances in Different Security Groups

ECSs in the same VPC but associated with different security groups cannot communicate with each other. For example, if you have ECSs in one security group that need to access MySQL databases in another security group, you need to add an inbound rule to the MySQL databases' group to allow access from ECSs' group over port 3306.

ECS Providing Database Access Service

A security group denies all external requests by default. If you have deployed a database on an ECS and need to allow other ECSs to access the database through an internal network, you need to add an inbound rule to the security group of the ECS with the database deployed to allow access over the relevant ports, for example, 3306 (MySQL), 1521 (Oracle), 1433 (MS SQL), 5432 (PostgreSQL), and 6379 (Redis).

In this example, the source is for reference only. Set the source address based on actual requirements.