Overview
Security Groups
A security group is a collection of access control rules for cloud resources, such as cloud servers, containers, and databases, that have the same security protection requirements and that are mutually trusted. After a security group is created, you can configure access rules that will apply to all cloud resources added to this security group.
When you create a FlexusL instance, the system automatically creates a default security group (sg-default-smb) and associates it with the instance. You can also create a security group based on service requirements and associate it with the instance. An instance can be associated with multiple security groups, and traffic to and from the instance is matched by priority in a descending order.
- Security group sg-default-smb has a custom inbound rule to allow ICMP traffic to the FlexusL instance from your PC over all ports. However, the security group does not contain a rule to allow external access to the instance over the SSH port 22 or RDP port 3389. As a result, you cannot remotely log in to the FlexusL instance from your PC.
- If the FlexusL instance needs to access the Internet through an EIP, the outbound rule of sg-default-smb must allow all traffic from the FlexusL instance to the Internet.
For more information about security groups, see Security Group.
Security Group Rules
- Inbound rules: control traffic to the instances in a security group.
- Outbound rules: control traffic from the instances in a security group to access external networks.
Parameter |
Description |
---|---|
Priority |
The value ranges from 1 to 100. A smaller value indicates a higher priority. Security group rules are matched by priority and then by action. Deny rules take precedence over allow rules. |
Action |
Allow or Deny. If the protocol, port, source or destination of the traffic matches a security group rule, traffic will be allowed or denied. |
Type |
IPv4 or IPv6. |
Protocol & Port |
Network protocol type and port range.
|
Source or Destination |
Source address of traffic in the inbound direction or destination address of traffic in the outbound direction. The source or destination can be an IP address, security group, or IP address group.
|
By default, the inbound rules of FlexusL default security group sg-default-smb only allow instances in the same security group to communicate with each other and deny all external requests. The security group outbound rules enable all ports and allow all requests that originate from the instances in the security group. Each security group has default rules. For details, see Table 2. You can also customize security group rules. For details, see Configuring Security Group Rules for a FlexusL Instance.
Direction |
Action |
Type |
Protocol & Port |
Source/Destination |
Description |
---|---|---|---|---|---|
Inbound |
Allow |
IPv4 |
All |
Source: sg-default-smb |
Allows instances in the security group to communicate with each other over IPv4 protocols. |
Inbound |
Allow |
IPv6 |
All |
Allows instances in the security group to communicate with each other over IPv6 protocols. |
|
Outbound |
Allow |
IPv4 |
All |
Destination: 0.0.0.0/0 |
Allows access from instances in the security group to any IPv4 address over any port. |
Outbound |
Allow |
IPv6 |
All |
Destination: ::/0 |
Allows access from instances in the security group to any IPv6 address over any port. |

If the source is set to 0.0.0.0/0 or::/0, all external IP addresses are either allowed or denied to access your instances, depending on if the action is Allow or Deny. If the access is allowed, exposing high-risk ports, such as port 22, 3389, or 8848, to the public network will leave your instances vulnerable to network intrusions, service interruptions, data leakage, or ransomware attacks. You should only configure known IP addresses for the source in security group rules.
Security Group Constraints
- By default, you can create up to 100 security groups in your cloud account.
- By default, you can add up to 50 rules to a security group.
- For better network performance, you are advised to associate no more than five security groups with a FlexusL instance or supplementary network interface.
- You can add up to 20 instances to a security group at a time.
- You can add up to 1,000 instances to a security group.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot