Importing and Exporting Security Group Rules

Scenarios

You can configure security group rules in an Excel file and import the rules to the security group. You can also export security group rules to an Excel file.

You can import and export security group rules in the following scenarios:

• If you want to back up security group rules locally, you can export the rules to an Excel file.
• If you want to quickly create or restore security group rules, you can import your security group rule file to the security group.
• If you want to quickly apply the rules of one security group to another, you can export and import existing rules.
• If you want to modify multiple rules of the current security group at a time, you can export and import existing rules.

Notes and Constraints

• The security group rules to be imported must be configured based on the template. Do not add parameters or change existing parameters. Otherwise, the import will fail.
• If you import a security group rule with Source/Destination set to a security group or IP address group, ensure that the group ID is correct. Otherwise, the import will fail.
• If the security group rules to be imported are the same as existing ones, the system automatically deletes them and continues to execute the import.
• Do not import two security group rules with the same Direction, Type, Protocol & Port, and Source/Destination, but different Action configurations. Table 1 shows an example.
  • If a rule to be imported conflicts with an existing rule in the security group, the import will fail. In this case, rectify the fault as prompted.
  • If rules to be imported conflicts with each other, the import will fail. In this case, rectify the fault as prompted.

  Table 1 Rules with different actions

  Rule	Direction	Priority	Action	Type	Protocol & Port	Destination
  Rule A	Inbound	1	Allow	IPv4	TCP: 22	0.0.0.0/0
  Rule B	Inbound	5	Deny	IPv4	TCP: 22	0.0.0.0/0

• If you want to import rules of the security group in one region to another under one account, only rules with both Source and Destination set to IP address can be applied.
• If you want to import rules of the security group in one account to the security group in another account, only rules with both Source and Destination set to IP address can be applied.

Procedure

1. Log in to the management console.
2. Click in the upper left corner and select the desired region and project.
3. Click in the upper left corner and choose Networking > Virtual Private Cloud.

   The Virtual Private Cloud page is displayed.

4. In the navigation pane on the left, choose Access Control > Security Groups.

   The security group list is displayed.

5. On the security group list, click the name of the target security group.

   The security group details page is displayed.

6. Export and import security group rules.
   • Click Export Rule to export all rules of the current security group to an Excel file.
   • Click Import Rule to import security group rules from an Excel file into the current security group.
     Table 2 describes the parameters in the template for importing rules.

     Table 2 Template parameters

     Parameter	Description	Example Value
     Direction	The direction in which the security group rule takes effect. Inbound: Inbound rules control incoming traffic to instances in the security group. Outbound: Outbound rules control outgoing traffic from instances in the security group.	Inbound
     Priority	The priority value ranges from 1 to 100. The default value is 1 and has the highest priority. The security group rule with a smaller value has a higher priority.	1
     Action	Allow or Deny If the Action is set to Allow, access from the source is allowed to ECSs in the security group over specified ports. If the Action is set to Deny, access from the source is denied to ECSs in the security group over specified ports. Security group rules are matched by priority and then by action. Deny rules take precedence over allow rules. For more information, seeHow Traffic Matches Security Group Rules.	Allow
     Protocol & Port	The network protocol used to match traffic in a security group rule. The value can be All, TCP, UDP, GRE, and ICMP.	TCP
     	Destination port used to match traffic in a security group rule. The value can be from 1 to 65535. Inbound rules control incoming traffic over specific ports to instances in the security group. Outbound rules control outgoing traffic over specific ports from instances in the security group.	22, or 22-30
     Type	Source IP address version. You can select: IPv4 IPv6	IPv4
     Source	The source in an inbound rule is used to match the IP address or address range of an external request. The source can be: IP address: Single IP address: IP address/mask Example IPv4 address: 192.168.10.10/32 Example IPv6 address: 2002:50::44/128 IP address range in CIDR notation: IP address/mask Example IPv4 address range: 192.168.52.0/24 Example IPv6 address range: 2407:c080:802:469::/64 All IP addresses 0.0.0.0/0 represents all IPv4 addresses. ::/0 represents all IPv6 addresses. Security group: The source is from another security group. You can select a security group in the same region under the current account. Instance A is in security group A and instance B is in security group B. If security group A has an inbound rule with Action set to Allow and Source set to security group B, access from instance B is allowed to instance A. A security group is in the format of Security group name(Security group ID). An example is sg-test(96a8a93f-XXX-d7872990c314). IP address group: An IP address group is a collection of one or more IP addresses. You can select an available IP address group. An IP address group can help you manage IP address ranges and IP addresses with same security requirements in a more simple way. A security group is in the format of IP address group name(IP address group ID). An example is ipGroup-test(96a8a93f-XXX-d7872990c314).	sg-test[96a8a93f-XXX-d7872990c314]
     Destination	The destination in an outbound rule is used to match the IP address or address range of an internal request. The destination can be: IP address Single IP address: IP address/mask Example IPv4 address: 192.168.10.10/32 Example IPv6 address: 2002:50::44/128 IP address range in CIDR notation: IP address/mask Example IPv4 address range: 192.168.52.0/24 Example IPv6 address range: 2407:c080:802:469::/64 All IP addresses 0.0.0.0/0 represents all IPv4 addresses. ::/0 represents all IPv6 addresses. Security group: The destination is from another security group. Instance A is in security group A and instance B is in security group B. If security group A has an outbound rule with Action set to Allow and Destination set to security group B, access from instance A is allowed to instance B. A security group is in the format of Security group name(Security group ID). An example is sg-test(96a8a93f-XXX-d7872990c314). IP address group: An IP address group is a collection of one or more IP addresses. An IP address group can help you manage IP address ranges and IP addresses with same security requirements in a more simple way. A security group is in the format of IP address group name(IP address group ID). An example is ipGroup-test(96a8a93f-XXX-d7872990c314).	sg-test[96a8a93f-XXX-d7872990c314]
     Description	Supplementary information about the security group rule. This parameter is optional. The security group rule description can contain a maximum of 255 characters and cannot contain angle brackets (< or >).	-
     Last Modified	The time when the security group was modified.	-