Updated on 2024-02-05 GMT+08:00

Overview

Security Group

A security group is a collection of access control rules for ECSs that have the same security protection requirements and that are mutually trusted. After a security group is created, you can create various access rules for the security group, these rules will apply to all ECSs added to this security group.

You can also customize a security group or use the default one. The system provides a default security group for you, which permits all outbound traffic and denies inbound traffic. ECSs in a security group are accessible to each other. For details about the default security group, see Default Security Group and Rules.

If two ECSs are in the same security group but in different VPCs, the security group does not take effect. You can use a VPC peering connection to connect the two VPCs first. For details, see VPC Connectivity.

Security Group Rules

After a security group is created, you can add rules to the security group. A rule applies either to inbound traffic (ingress) or outbound traffic (egress). After ECSs are added to the security group, they are protected by the rules of that group.

Each security group has default rules. For details, see Default Security Group and Rules. You can also customize security group rules. For details, see Configuring Security Group Rules.

Security Group Constraints

  • For better network performance, you are advised to associate no more than five security groups to an instance.
  • A security group can have no more than 6,000 instances associated, or performance will deteriorate.
  • In a security group, the total number of inbound rules must be less than or equal to 128. The sum of the number of rules whose source addresses are security groups, the number of rules whose source addresses are IP address groups, and the number of rules whose port numbers are inconsecutive must be less than or equal to 128. Otherwise, the excess rules do not take effect. The restriction in the outbound direction is the same as that in the inbound direction.
    • If the source is a security group, the security group can be the current security group or other security groups.
    • Inconsecutive port numbers are 22, 25, and 27.
  • If you specify an IP address group or inconsecutive ports for a security group rule, the rule takes effect only for certain ECSs. For details, see Table 1.
    Table 1 Scenarios that security group rules do not take effect

    Rule Configuration

    ECS Type

    Source or Destination is set to IP address group.

    The following x86 ECS types are not supported:
    • General computing (S1, C1, and C2 ECSs)
    • Memory-optimized (M1 ECSs)
    • High-performance computing (H1 ECSs)
    • Disk-intensive (D1 ECSs)
    • GPU-accelerated (G1 and G2 ECSs)
    • Large-memory (E1, E2, and ET2 ECSs)

    Port is set to non-consecutive ports.

    The following x86 ECS types are not supported:

    • General computing (S1, C1, and C2 ECSs)
    • Memory-optimized (M1 ECSs)
    • High-performance computing (H1 ECSs)
    • Disk-intensive (D1 ECSs)
    • GPU-accelerated (G1 and G2 ECSs)
    • Large-memory (E1, E2, and ET2 ECSs)

    All Kunpeng ECS flavors do not support inconsecutive ports.

    If you use inconsecutive port numbers in a security group rule of a Kunpeng ECS, this rule and rules configured after this one do not take effect.

    If you configure security group rule A with inconsecutive ports 22,24 and then configure security group rule B with port 9096, both rule A and rule B do not take effect.