Help Center/ Cloud Container Instance (CCI)/ User Guide/ Using CCI Through the Console/ Network Management/ Configuring Custom Security Groups for Network Interfaces of Pods
Updated on 2025-11-21 GMT+08:00
View PDF
Share

Configuring Custom Security Groups for Network Interfaces of Pods

CCI 2.0 allows you to configure custom security groups for the network interfaces of pods by adding annotations to YAML files.

Constraints

  • The security groups must have been created and must be valid.
  • Each security group ID configured for a single network interface must be unique.
  • A maximum of five security groups can be configured for a single network interface. Multiple security groups are separated with commas (,).
  • The security group rules must allow ICMP traffic from and to the subnet of the pods. Otherwise, the pods cannot be started.
  • The security groups configured for the network interfaces of pods cannot be updated.

Configuring Security Groups for a Single Network Interface

You can configure the security groups for a single network interface by using the yangtse.io/security-group-ids annotation.

kind: Pod
metadata:
  annotations:
    yangtse.io/security-group-ids: 266b3179-d90d-4aae-b8c7-2996b6b44e1e,266b3179-d90d-4aae-b8c7-2996b6b44e1f # Security groups for network interfaces. Multiple security group IDs are separated with commas (,).
...

Configuring Security Groups for Multiple Network Interfaces

  • Scenario 1: Use the k8s.v1.cni.cncf.io/networks annotation to configure security groups for multiple network interfaces.

    security-group-ids specifies the security group configuration. yangtse.io/security-group-ids cannot be used to configure security groups for multiple network interfaces.

    kind: Pod
metadata:
  annotations:
    # Pod security groups. Multiple security group IDs are separated with commas (,).
    k8s.v1.cni.cncf.io/networks: '[{"name":"default-network","interface":"eth0","security-group-ids":"40acb660-c100-4c94-8f40-0235e4e04511,266b3179-d90d-4aae-b8c7-2996b6b44e1e"},{"name":"second-network","interface":"eth1", "security-group-ids":"40acb660-c100-4c94-8f40-0235e4e04511"}]'
  • Scenario 2: Use the yangtse.io/multi-eip-ids annotation to configure security groups for multiple network interfaces. 
    kind: Pod
metadata:
  annotations:
    yangtse.io/multi-eip-ids: 1234d-d90d-4aae-b8c7-xxx, 1234d-d90d-4aae-b8c7-yyy # Multiple EIPs
    yangtse.io/security-group-ids: 266b3179-d90d-4aae-b8c7-2996b6b44e1e,266b3179-d90d-4aae-b8c7-2996b6b44e1f # Pod security group configuration. Multiple security groups are separated with commas (,).
...
Parent Topic: Network Management