Updated on 2024-10-18 GMT+08:00

Overview

Security Group

A security group is a collection of access control rules for ECSs that have the same security protection requirements and that are mutually trusted. After a security group is created, you can create various access rules for the security group, these rules will apply to all ECSs added to this security group.

You can also customize a security group or use the default one. The system provides a default security group for you, which permits all outbound traffic and denies inbound traffic. ECSs in a security group are accessible to each other. For details about the default security group, see Default Security Groups and Rules.

If two ECSs are in the same security group but in different VPCs, the security group does not take effect. You can use a VPC peering connection to connect the two VPCs first. For details, see VPC Connectivity Options.

Security Group Rules

After a security group is created, you can add rules to the security group. A rule applies either to inbound traffic (ingress) or outbound traffic (egress). After ECSs are added to the security group, they are protected by the rules of that group.

Each security group has default rules. For details, see Default Security Groups and Rules. You can also customize security group rules. For details, see Configuring Security Group Rules.

Notes and Constraints

  • For better network performance, you are advised to associate an instance with no more than five security groups.
  • A security group can have no more than 6,000 instances associated, or its performance will deteriorate.
  • For inbound security group rules, the sum of the rules with Source set to Security group, of the rules with Source set to IP address group, and of the rules with inconsecutive ports, cannot exceed 120. If there are both IPv4 and IPv6 security group rules, up to 120 rules can be added for each type.

    The limits on outbound security group rules are the same as those on inbound rules.

    For example, to add inbound IPv4 rules to a security group (Sg-A), you can refer to Table 1 for rules that meet the restrictions. Of these rules, rule A02 uses inconsecutive ports (TCP: 22,25,27) and security group Sg-B as the source. In this case, only one quota is occupied.

    Table 1 Inbound security group rules

    Rule No.

    Action

    Type

    Protocol & Port

    Source

    Rule A01

    Allow

    IPv4

    All

    Current security group: Sg-A

    Rule A02

    Allow

    IPv4

    TCP: 22,25,27

    Another security group: Sg-B

    Rule A03

    Allow

    IPv4

    TCP: 80-82

    IP address group: ipGroup-A

    Rule A04

    Allow

    IPv4

    TCP: 22-24,25

    IP address: 192.168.0.0/16

  • If you specify an IP address group or inconsecutive ports for a security group rule, the rule is only applied for certain ECSs. For details, see Table 2.
    Table 2 Scenarios that security group rules do not take effect

    Rule Configuration

    ECS Type

    Source or Destination is set to IP address group.

    The following x86 ECS types are not supported:
    • General computing (S1, C1, and C2 ECSs)
    • Memory-optimized (M1 ECSs)
    • High-performance computing (H1 ECSs)
    • Disk-intensive (D1 ECSs)
    • GPU-accelerated (G1 and G2 ECSs)
    • Large-memory (E1, E2, and ET2 ECSs)

    Port is set to non-consecutive ports.

    The following x86 ECS types are not supported:

    • General computing (S1, C1, and C2 ECSs)
    • Memory-optimized (M1 ECSs)
    • High-performance computing (H1 ECSs)
    • Disk-intensive (D1 ECSs)
    • GPU-accelerated (G1 and G2 ECSs)
    • Large-memory (E1, E2, and ET2 ECSs)

    All Kunpeng ECS flavors do not support inconsecutive ports.

    If you use inconsecutive port numbers in a security group rule of a Kunpeng ECS, this rule and rules configured after this one do not take effect.

    If you configure security group rule A with inconsecutive ports 22,24 and then configure security group rule B with port 9096, both rule A and rule B do not take effect.

  • Traffic from load balancers is not restricted by network ACL and security group rules if:

    Transfer Client IP Address is enabled for the listener of a load balancer.

    The load balancer can still forward traffic to backend servers, even if there is a rule that denies traffic from the load balancer to the backend servers.