Overview

Security Group

A security group is a collection of access control rules for cloud resources, such as cloud servers, containers, and databases, that have the same security protection requirements and that are mutually trusted. After a security group is created, you can configure access rules that will apply to all cloud resources added to this security group.

A security group can have inbound and outbound rules. You need to specify the source, port, and protocol for each inbound rule and specify the destination, port, and protocol for each outbound rule to control the inbound and outbound traffic to and from the instances in the security group. As shown in Figure 1, there is a VPC (VPC-A) with a subnet (Subnet-A) in region A. A FlexusX instance is running in Subnet-A and associated with security group Sg-A.

Security group Sg-A has a custom inbound rule to allow ICMP traffic to the instance from your PC over all ports. However, the security group does not contain a rule to allow external access to the instance over the SSH port 22 or RDP port 3389. As a result, you cannot remotely log in to the FlexusX instance from your PC.
If the FlexusX instance needs to access the Internet through an EIP, the outbound rule of Sg-A must allow all traffic from the FlexusX instance to the Internet.

Figure 1 Security group architecture

For more information about security groups, see security groups.

A security group works only when the network communication is normal. If two FlexusX instances are in the same security group but in different VPCs, the instances cannot communicate with each other. To enable communications between the two instances, connect the two VPCs first. For details, see Connecting VPCs.

Security Group Rules

After a security group is created, you can add rules to it. A rule applies either to inbound traffic (ingress) or outbound traffic (egress). Any FlexusX instances added to the security group are protected by the rules of that group. For details about more configuration examples, see Security Group Examples.

You can specify the protocol, port, source/destination for a security group rule. The following table describes key parameters about a security group rule.

**Table 1** Key parameters in a security group rule
Parameter	Description
Priority	The value range is from 1 to 100. A smaller value indicates a higher priority. Security group rules are matched first by priority and then by action. Deny rules take precedence over allow rules.
Action	The action can be Allow or Deny. If the protocol, port, source or destination of the traffic matches a security group rule, traffic will be allowed or denied.
Type	IPv4 or IPv6.
Protocol & Port	Network protocol type and port range. Protocol: the protocol that is used to match traffic. The protocol can be TCP, UDP, ICMP, or GRE. Port: the destination port range that is used to match traffic. The value range is from 1 to 65535.
Source/Destination	Source address of traffic in the inbound direction or destination address of traffic in the outbound direction. The source or destination can be an IP address, security group, or IP address group. IP address: an IPv4/IPv6 address or IPv4/IPv6 CIDR block, for example, 192.168.10.10/32 (IPv4 address), 192.168.1.0/24 (IPv4 CIDR block), or 2407:c080:802:469::/64 (IPv6 CIDR block). Security group: If the selected security group and the current security group are in the same region, the traffic is allowed or denied to the private IP addresses of all instances in the selected security group. For example, if there is instance A in security group A and instance B in security group B, and the inbound rule of security group A allows traffic from security group B, traffic is allowed from instance B to instance A. IP address group: If you have multiple IP addresses with the same security requirements, you can add them to an IP address group and select this IP address group when you configure a rule. This helps you manage them in an easier way.

You can create a custom security group or use the default one provided by the system. The default security group allows all outbound traffic and denies inbound traffic. FlexusX instances in a security group can communicate with each other without adding any rules.

**Table 2** Default security group rules
Direction	Action	Type	Protocol & Port	Source/Destination	Description
Inbound	Allow	IPv4	All	Source: default security group (default)	Allows instances in the security group to communicate with each other over IPv4 protocols.
Inbound	Allow	IPv6	All	Source: default security group (default)	Allows instances in the security group to communicate with each other over IPv6 protocols.
Outbound	Allow	IPv4	All	Destination: 0.0.0.0/0	Allows access from instances in the security group to any IPv4 address over any port.
Outbound	Allow	IPv6	All	Destination: ::/0	Allows access from instances in the security group to any IPv6 address over any port.

Security Group Constraints

By default, you can create up to 100 security groups in your cloud account.
By default, you can add up to 50 rules to a security group.
For better network performance, you are advised to associate no more than five security groups with a FlexusX instance or supplementary network interface.
You can add up to 20 instances to a security group at a time.
You can add up to 1,000 instances to a security group.