Compute
Elastic Cloud Server
Huawei Cloud Flexus
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
FunctionGraph
Cloud Phone Host
Huawei Cloud EulerOS
Networking
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
VPC Endpoint
Cloud Connect
Enterprise Router
Enterprise Switch
Global Accelerator
Management & Governance
Cloud Eye
Identity and Access Management
Cloud Trace Service
Resource Formation Service
Tag Management Service
Log Tank Service
Config
OneAccess
Resource Access Manager
Simple Message Notification
Application Performance Management
Application Operations Management
Organizations
Optimization Advisor
IAM Identity Center
Cloud Operations Center
Resource Governance Center
Migration
Server Migration Service
Object Storage Migration Service
Cloud Data Migration
Migration Center
Cloud Ecosystem
KooGallery
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP Filing
Support Plans
My Credentials
Customer Operation Capabilities
Partner Support Plans
Professional Services
Analytics
MapReduce Service
Data Lake Insight
CloudTable Service
Cloud Search Service
Data Lake Visualization
Data Ingestion Service
GaussDB(DWS)
DataArts Studio
Data Lake Factory
DataArts Lake Formation
IoT
IoT Device Access
Others
Product Pricing Details
System Permissions
Console Quick Start
Common FAQs
Instructions for Associating with a HUAWEI CLOUD Partner
Message Center
Security & Compliance
Security Technologies and Applications
Web Application Firewall
Host Security Service
Cloud Firewall
SecMaster
Anti-DDoS Service
Data Encryption Workshop
Database Security Service
Cloud Bastion Host
Data Security Center
Cloud Certificate Manager
Edge Security
Situation Awareness
Managed Threat Detection
Blockchain
Blockchain Service
Web3 Node Engine Service
Media Services
Media Processing Center
Video On Demand
Live
SparkRTC
MetaStudio
Storage
Object Storage Service
Elastic Volume Service
Cloud Backup and Recovery
Storage Disaster Recovery Service
Scalable File Service Turbo
Scalable File Service
Volume Backup Service
Cloud Server Backup Service
Data Express Service
Dedicated Distributed Storage Service
Containers
Cloud Container Engine
SoftWare Repository for Container
Application Service Mesh
Ubiquitous Cloud Native Service
Cloud Container Instance
Databases
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GeminiDB
GaussDB
Distributed Database Middleware
Database and Application Migration UGO
TaurusDB
Middleware
Distributed Cache Service
API Gateway
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
Multi-Site High Availability Service
EventGrid
Dedicated Cloud
Dedicated Computing Cluster
Business Applications
Workspace
ROMA Connect
Message & SMS
Domain Name Service
Edge Data Center Management
Meeting
AI
Face Recognition Service
Graph Engine Service
Content Moderation
Image Recognition
Optical Character Recognition
ModelArts
ImageSearch
Conversational Bot Service
Speech Interaction Service
Huawei HiLens
Video Intelligent Analysis Service
Developer Tools
SDK Developer Guide
API Request Signing Guide
Terraform
Koo Command Line Interface
Content Delivery & Edge Computing
Content Delivery Network
Intelligent EdgeFabric
CloudPond
Intelligent EdgeCloud
Solutions
SAP Cloud
High Performance Computing
Developer Services
ServiceStage
CodeArts
CodeArts PerfTest
CodeArts Req
CodeArts Pipeline
CodeArts Build
CodeArts Deploy
CodeArts Artifact
CodeArts TestPlan
CodeArts Check
CodeArts Repo
Cloud Application Engine
MacroVerse aPaaS
KooMessage
KooPhone
KooDrive
Help Center/ Elastic Cloud Server/ User Guide/ Security/ Security Groups/ Security Group Configuration Examples

Security Group Configuration Examples

Updated on 2025-02-19 GMT+08:00
When you create instances, such as cloud servers, containers, and databases, in a VPC subnet, you can use the default security group or create a security group. You can add inbound and outbound rules to the default or your security group to control traffic from and to the instances in the security group. Here are some common security group configuration examples:
NOTICE:

If your security group rules are not applied, submit a service ticket.

Precautions

Note the following before configuring security group rules:

  • Instances associated with different security groups are isolated from each other by default.
  • Generally, a security group denies all external requests by default, while allowing instances in it to communicate with each other.

    If required, you can add inbound rules to allow specific traffic to access the instances in the security group.

  • If the source is set to 0.0.0.0/0 or::/0, then the access from all external IP addresses are either allowed or denied, depending on if the action is Allow or Deny. If the access is allowed, exposing high-risk ports, such as port 22, 3389, or 8848, to the public network will leave your instances vulnerable to network intrusions, service interruptions, data leakage, or ransomware attacks. You should only configure trusted IP addresses for the security group rule.
  • By default, outbound security group rules allow all requests from the instances in the security group to access external resources.
    If outbound rules are deleted, the instances in the security group cannot communicate with external resources. To allow outbound traffic, you need to add outbound rules by referring to Table 1.
    Table 1 Default outbound rules in a security group

    Direction

    Priority

    Action

    Type

    Protocol & Port

    Destination

    Description

    Outbound

    1

    Allow

    IPv4

    All

    0.0.0.0/0

    Allows the instances in the security group to access any IPv4 address over any port.

    Outbound

    1

    Allow

    IPv6

    All

    ::/0

    Allows the instances in the security group to access any IPv6 address over any port.

Remotely Logging In to an ECS from a Local Server

A security group denies all external requests by default. To remotely log in to an ECS in a security group from a local server, add an inbound rule based on the OS running on the ECS.

  • To remotely log in to a Linux ECS using SSH, enable port 22. For details, see Table 2.
  • To remotely log in to a Windows ECS using RDP, enable port 3389. For details, see Table 3.
    Table 2 Remotely logging in to a Linux ECS using SSH

    Direction

    Priority

    Action

    Type

    Protocol & Port

    Source

    Inbound

    1

    Allow

    IPv4

    TCP: 22

    IP address: 0.0.0.0/0

    Table 3 Remotely logging in to a Windows ECS using RDP

    Direction

    Priority

    Action

    Type

    Protocol & Port

    Source

    Inbound

    1

    Allow

    IPv4

    TCP: 3389

    IP address: 0.0.0.0/0

    NOTICE:

    If the source is set to 0.0.0.0/0, all external IP addresses are allowed to remotely log in to the ECS. To ensure network security and prevent service interruptions caused by network intrusions, set the source to a trusted IP address. For details, see Table 4.

    Table 4 Remotely logging in to an ECS using a trusted IP address

    ECS Type

    Direction

    Priority

    Action

    Type

    Protocol & Port

    Source

    Linux ECS

    Inbound

    1

    Allow

    IPv4

    TCP: 22

    IP address: 192.168.0.0/24

    Windows ECS

    Inbound

    1

    Allow

    IPv4

    TCP: 3389

    IP address: 10.10.0.0/24

Remotely Connecting to an ECS from a Local Server to Upload or Download Files over FTP

By default, a security group denies all external requests. If you need to remotely connect to an ECS from a local server to upload or download files over FTP, you need to enable FTP ports 20 and 21.

Table 5 Remotely connecting to an ECS from any server to upload or download files over FTP

Direction

Priority

Action

Type

Protocol & Port

Source

Inbound

1

Allow

IPv4

TCP: 20-21

IP address: 0.0.0.0/0

NOTICE:
  • If the source is set to 0.0.0.0/0, all external IP addresses are allowed to remotely log in to the ECS to upload or download files. To ensure network security and prevent service interruptions caused by network intrusions, set the source to a trusted IP address. For details, see Table 6.
  • You must first install the FTP server program on the ECSs and then check whether ports 20 and 21 are working properly.
Table 6 Remotely connecting to an ECS from a trusted server to upload or download files

Direction

Priority

Action

Type

Protocol & Port

Source

Inbound

1

Allow

IPv4

TCP: 20-21

IP address: 192.168.0.0/24

Setting Up a Website on an ECS to Provide Internet-Accessible Services

A security group denies all external requests by default. If you set up a website on an ECS to allow access from the Internet, you need to add an inbound rule to the ECS security group to allow access over specific ports, such as HTTP (80) and HTTPS (443).

Table 7 Setting up a website on an ECS to provide services internet-accessible services

Direction

Priority

Action

Type

Protocol & Port

Source

Inbound

1

Allow

IPv4

TCP: 80

IP address: 0.0.0.0/0

Inbound

1

Allow

IPv4

TCP: 443

IP address: 0.0.0.0/0

Using ping Command to Verify Network Connectivity

Ping works by sending an Internet Control Message Protocol (ICMP) Echo Request. To ping an ECS from your PC to verify the network connectivity, you need to add an inbound rule to the security group of the ECS to allow ICMP traffic.

Table 8 Using ping command to verify network connectivity

Direction

Priority

Action

Type

Protocol & Port

Source

Inbound

1

Allow

IPv4

ICMP: All

IP address: 0.0.0.0/0

Inbound

1

Allow

IPv6

ICMP: All

IP address: ::/0

Enabling Communications Between Instances in Different Security Groups

Instances in the same VPC but in different security groups cannot communicate with each other. If you want ECSs in security group sg-A to access MySQL databases in security group sg-B, you need to add an inbound rule to security group sg-B to allow access from ECSs in security group sg-A.

Table 9 Enabling communications between instances in different security groups

Direction

Priority

Action

Type

Protocol & Port

Source

Inbound

1

Allow

IPv4

TCP: 3306

Security group: sg-A

NOTICE:

In the example in "Allowing Traffic from a Virtual IP Address" in How Security Groups Are Used, two ECSs in Subnet-A and Subnet-B are connected by a virtual IP address. If you set the source of inbound rules to the security groups associated with the ECSs, the ECSs in the two security groups cannot communicate with each other. To enable communications between them, set the source to the private IP address or subnet CIDR block of the virtual IP address.

Allowing External Instances to Access the Database Deployed on an ECS

A security group denies all external requests by default. If you have deployed a database on an ECS and want the database to be accessed from external instances on a private network, you need to add an inbound rule to the security group of the ECS to allow access over corresponding ports. Here are some common ports for databases:
  • MySQL: port 3306
  • Oracle: port 1521
  • MS SQL: port 1433
  • PostgreSQL: port 5432
  • Redis: port 6379
Table 10 Allowing external instances to access the database deployed on an ECS

Direction

Priority

Action

Type

Protocol & Port

Source

Description

Inbound

1

Allow

IPv4

TCP: 3306

Security group: sg-A

Allows the ECSs in security group sg-A to access the MySQL database.

Inbound

1

Allow

IPv4

TCP: 1521

Security group: sg-B

Allows the ECSs in security group sg-B to access the Oracle database.

Inbound

1

Allow

IPv4

TCP: 1433

IP address: 172.16.3.21/32

Allows the ECS whose private IP address is 172.16.3.21 to access the MS SQL database.

Inbound

1

Allow

IPv4

TCP: 5432

IP address: 192.168.0.0/24

Allows ECSs whose private IP addresses are in the 192.168.0.0/24 network to access the PostgreSQL database.

Inbound

1

Allow

IPv4

TCP: 6379

IP address group: ipGroup-A

Allows ECSs whose private IP addresses are in IP address group ipGroup-A to access the Redis database.

NOTICE:

In this example, the source IP addresses are for reference only. Replace them with actual IP addresses.

Allowing ECSs to Access Only Specific External Websites

By default, a security group allows all outbound traffic. Table 12 lists the default outbound rules. If you want to allow ECSs to access only specific websites, configure the security group as follows:

  1. Add outbound rules to only allow traffic over specific ports to specific IP addresses.
    Table 11 Allowing ECSs to access only specific external websites

    Direction

    Priority

    Action

    Type

    Protocol & Port

    Destination

    Description

    Outbound

    1

    Allow

    IPv4

    TCP: 80

    IP address: 132.15.XX.XX

    Allows ECSs in the security group to access the external website at http://132.15.XX.XX:80.

    Outbound

    1

    Allow

    IPv4

    TCP: 443

    IP address: 145.117.XX.XX

    Allows ECSs in the security group to access the external website at https://145.117.XX.XX:443.

  2. Delete the default outbound rules that allow all traffic.
    Table 12 Default outbound rules in a security group

    Direction

    Priority

    Action

    Type

    Protocol & Port

    Destination

    Description

    Outbound

    1

    Allow

    IPv4

    All

    0.0.0.0/0

    Allows the instances in the security group to access any IPv4 address over any port.

    Outbound

    1

    Allow

    IPv6

    All

    ::/0

    Allows the instances in the security group to access any IPv6 address over any port.

We use cookies to improve our site and your experience. By continuing to browse our site you accept our cookie policy. Find out more

Feedback

Feedback

Feedback

0/500

Selected Content

Submit selected content with the feedback