Help Center/ Scalable File Service/ FAQs/ Others/ Does the Security Group of a VPC Affect the Use of SFS?

Updated on 2025-12-17 GMT+08:00

View PDF

Does the Security Group of a VPC Affect the Use of SFS?

A security group is a collection of access control rules for ECSs that have the same security protection requirements and are mutually trusted in a VPC. After a security group is created, you can create different access rules for the security group to protect the ECSs that are added to this security group. The default security group rule allows all outgoing data packets. ECSs in a security group can communicate with each other without the need to add rules. The system creates a security group for each cloud account by default. You can also create custom security groups by yourself.

For a general-purpose file system, you need to add inbound and outbound rules for the security group. For details, see Adding a Security Group Rule. The inbound ports required by NFS are ports 111, 2049, and 2050.

Example Configuration

Inbound rule

Direction	Protocol	Port Range	Source IP Address	Description
Inbound	TCP	111	IP Address	0.0.0.0/0 (All IP addresses are allowed. It can be modified.)	One port corresponds to one access rule. You need to add rules for the ports one by one.

Direction

Protocol

Port Range

Source IP Address

Description

Inbound

TCP

111

IP Address

0.0.0.0/0

(All IP addresses are allowed. It can be modified.)

One port corresponds to one access rule. You need to add rules for the ports one by one.

Outbound rule

Direction	Protocol	Port Range	Source IP Address	Description
Outbound	TCP	111	IP Address	0.0.0.0/0 (All IP addresses are allowed. It can be modified.)	One port corresponds to one access rule. You need to add rules for the ports one by one.

Direction

Protocol

Port Range

Source IP Address

Description

Outbound

TCP

111

IP Address

0.0.0.0/0

(All IP addresses are allowed. It can be modified.)

One port corresponds to one access rule. You need to add rules for the ports one by one.

Enter an IP address range using a mask. For example, enter 192.168.1.0/24, and do not enter 192.168.1.0-192.168.1.255. If the source IP address is 0.0.0.0/0, all IP addresses are allowed. For more information, see Security Groups and Security Group Rule Overview.

A bidirectional access rule must be configured for port 111. The inbound rule can be set to the frontend service IP address range of SFS. You can obtain the IP address range by running ping Domain name or IP address of the general-purpose file system or dig Domain name or IP address of the general-purpose file system.

For ports 2049 (TCP) and 2050 (TCP), outbound rules need to be added, which are the same as the outbound rule of port 111.

Parent topic: Others

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot