Virtual Private CloudVirtual Private Cloud

Compute
Elastic Cloud Server
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
FunctionGraph
Networking
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
Domain Name Service
VPC Endpoint
Cloud Connect
Enterprise Switch
Security & Compliance
Anti-DDoS
Web Application Firewall
Host Security Service
Data Encryption Workshop
Database Security Service
Advanced Anti-DDoS
Data Security Center
Container Guard Service
Situation Awareness
Managed Threat Detection
Compass
Cloud Certificate Manager
Anti-DDoS Service
Databases
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GaussDB NoSQL
GaussDB(for MySQL)
Distributed Database Middleware
GaussDB(for openGauss)
Developer Services
ServiceStage
Distributed Cache Service
Simple Message Notification
Application Performance Management
Application Operations Management
Blockchain
API Gateway
Cloud Performance Test Service
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
DevCloud
ProjectMan
CodeHub
CloudRelease
CloudPipeline
CloudBuild
CloudDeploy
Cloud Communications
Message & SMS
Cloud Ecosystem
Marketplace
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP License Service
Support Plans
Customer Operation Capabilities
Partner Support Plans
Professional Services
enterprise-collaboration
Meeting
IoT
IoT
Intelligent EdgeFabric
DeveloperTools
SDK Developer Guide
API Request Signing Guide
Terraform
Koo Command Line Interface
Updated at: Apr 19, 2022 GMT+08:00

Adding a Security Group Rule

Scenarios

A security group is a collection of access control rules for cloud resources, such as cloud servers, containers, and databases, to control inbound and outbound traffic. Cloud resources associated with the same security group have the same security requirements and are mutually trusted within a VPC.

If the rules of the security group associated with your instance cannot meet your requirements, for example, you need to allow inbound traffic on a specified TCP port, you can add an inbound rule.

  • Inbound rules control incoming traffic to cloud resources in the security group.
  • Outbound rules control outgoing traffic from cloud resources in the security group.

For details about the default security group rules, see Default Security Groups and Security Group Rules. For details about security group rule configuration examples, see Security Group Configuration Examples.

Prerequisites

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner and select the desired region and project.
  3. On the console homepage, under Networking, click Virtual Private Cloud.
  4. In the navigation pane on the left, choose Access Control > Security Groups.
  5. On the Security Groups page, locate the target security group and click Manage Rule in the Operation column to switch to the page for managing inbound and outbound rules.
  6. On the Inbound Rules tab, click Add Rule. In the displayed dialog box, set required parameters to add an inbound rule.
    You can click + to add more inbound rules.
    Figure 1 Add Inbound Rule
    Table 1 Inbound rule parameter description

    Parameter

    Description

    Example Value

    Priority

    The security group rule priority.

    The priority value ranges from 1 to 100. The default value is 1 and has the highest priority. The security group rule with a smaller value has a higher priority.

    1

    Action

    The security group rule actions.

    Deny rules take precedence over allow rules of the same priority.

    Allow

    Protocol & Port

    Protocol: The network protocol. Currently, the value can be All, TCP, UDP, ICMP, GRE, or others.

    TCP

    Port: The port or port range over which the traffic can reach your ECS. The value ranges from 1 to 65535.

    Enter ports in the following format:
    • Individual port: Enter a port, such as 22.
    • Consecutive ports: Enter a port range, such as 22-30.
    • Non-consecutive ports: Enter ports and port ranges, such as 22,23-30. You can enter a maximum of 20 ports and port ranges. Each port range must be unique.
    • All ports: Leave it empty or enter 1-65535.

    22, or 22-30

    Type

    The IP address type. This parameter is available only after the IPv6 function is enabled.
    • IPv4
    • IPv6

    IPv4

    Source

    The source of the security group rule. The value can be a single IP address, an IP address group, or a security group to allow access from the IP address or instances in the security group. For example:
    • Single IP address: 192.168.10.10/32 (IPv4); 2002:50::44/127 (IPv6)
    • IP address range: 192.168.1.0/24 (IPv4); 2407:c080:802:469::/64 (IPv6)
    • All IP addresses: 0.0.0.0/0 (IPv4); ::/0 (IPv6)
    • Security group: sg-abc
    • IP address group: ipGroup-test

    If the source is a security group, this rule will apply to all instances associated with the selected security group.

    For more information about IP address groups, see IP Address Group Overview.

    0.0.0.0/0

    Description

    Supplementary information about the security group rule. This parameter is optional.

    The security group rule description can contain a maximum of 255 characters and cannot contain angle brackets (< or >).

    N/A

  7. On the Outbound Rules tab, click Add Rule. In the displayed dialog box, set required parameters to add an outbound rule.
    You can click + to add more outbound rules.
    Figure 2 Add Outbound Rule
    Table 2 Outbound rule parameter description

    Parameter

    Description

    Example Value

    Priority

    The security group rule priority.

    The priority value ranges from 1 to 100. The default value is 1 and has the highest priority. The security group rule with a smaller value has a higher priority.

    1

    Action

    The security group rule actions.

    • Allow: Allows outbound traffic from instances in the security group based on the rule.
    • Deny: Denies outbound traffic from instances in the security group based on the rule.

    Deny rules take precedence over allow rules of the same priority.

    Allow

    Protocol & Port

    Protocol: The network protocol. Currently, the value can be All, TCP, UDP, ICMP, GRE, or others.

    TCP

    Port: The port or port range over which the traffic can leave your ECS. The value ranges from 1 to 65535.

    22, or 22-30

    Type

    The IP address type.
    • IPv4
    • IPv6

    IPv4

    Destination

    The destination of the security group rule. The value can be a single IP address, an IP address group, or a security group to allow access to the IP address or instances in the security group. For example:
    • Single IP address: 192.168.10.10/32 (IPv4); 2002:50::44/127 (IPv6)
    • IP address range: 192.168.1.0/24 (IPv4); 2407:c080:802:469::/64 (IPv6)
    • All IP addresses: 0.0.0.0/0 (IPv4); ::/0 (IPv6)
    • Security group: sg-abc
    • IP address group: ipGroup-test

    For more information about IP address groups, see IP Address Group Overview.

    0.0.0.0/0

    Description

    Supplementary information about the security group rule. This parameter is optional.

    The security group rule description can contain a maximum of 255 characters and cannot contain angle brackets (< or >).

    N/A

  8. Click OK.

Verification

After required security group rules are added, you can verify that the rules take effect. For example, you have deployed a website on ECSs. Users need to access your website over TCP (port 80), and you have added the security group rule shown in Table 3.

Table 3 Security group rule

Direction

Protocol

Port

Source

Inbound

TCP

80

0.0.0.0/0

Linux ECS

To verify the security group rule on a Linux ECS:

  1. Log in to the ECS.
  2. Run the following command to check whether TCP port 80 is being listened on:
    netstat -an | grep 80

    If command output shown in Figure 3 is displayed, TCP port 80 is being listened on.

    Figure 3 Command output for the Linux ECS
  3. Enter http://ECS EIP in the address box of the browser and press Enter.

    If the requested page can be accessed, the security group rule has taken effect.

Windows ECS

To verify the security group rule on a Windows ECS:

  1. Log in to the ECS.
  2. Choose Start > Accessories > Command Prompt.
  3. Run the following command to check whether TCP port 80 is being listened on:
    netstat -an | findstr 80

    If command output shown in Figure 4 is displayed, TCP port 80 is being listened on.

    Figure 4 Command output for the Windows ECS
  4. Enter http://ECS EIP in the address box of the browser and press Enter.

    If the requested page can be accessed, the security group rule has taken effect.

Related Operations

Allow Common Ports

You can click Allow Common Ports to allow traffic on some common ports, such as port 21, 22, 3389, 80, 443, and 20.

Figure 5 Allow Common Ports

Helpful Links

Did you find this page helpful?

Failed to submit the feedback. Please try again later.

Which of the following issues have you encountered?







Please complete at least one feedback item.

Content most length 200 character

Content is empty.

OK Cancel