Security Group

Description

Security group
Like a firewall, a security group is a logical group used to control network access. You can define access rules for a security group to protect the ECSs in this group. You can create a custom security group or use the default security group.
Each security group can have both inbound and outbound rules. You need to specify the source, port, and protocol for each inbound rule and specify the destination, port, and protocol for each outbound rule to control the inbound and outbound traffic to and from the instances in the security group. As shown in Figure 1, you have a VPC (VPC-A) with a subnet (Subnet-A) in region A. An ECS (ECS-A) is running in Subnet-A and associated with security group Sg-A.
- Security group Sg-A has a custom inbound rule to allow ICMP traffic to ECS-A from your PC over all ports. However, the security group does not have rules that allow SSH traffic to ECS-A so you cannot remotely log in to ECS-A from your PC.
- If ECS-A needs to access the Internet through an EIP, the outbound rule of Sg-A must allow all traffic from ECS-A to the Internet.
Figure 1 A security group architecture

Security group rule

A security group has inbound and outbound rules to control traffic that is allowed to reach or leave the instances associated with the security group.
- Inbound rules: control traffic to the instances in a security group.
- Outbound rules: control traffic from the instances in a security group to access external networks.

A security group rule consists of the protocol, port, source address, and destination address.

**Table 1** Key parameters in a security group rule
Parameter	Description
Action	Allow or Deny. If the protocol, port, source or destination of the traffic matches a security group rule, traffic will be allowed or denied.
Priority	The value range is from 1 to 100. A smaller value indicates a higher priority. Security group rules are matched by priority and then by action. Deny rules take precedence over allow rules. To learn more, see Security Group and Security Group Rule Overview.
Type	IPv4 or IPv6.
Protocol & Port	Network protocol type and port range. Network protocol: The protocol can be TCP, UDP, ICMP, or GRE. Port range: The value range is from 1 to 65535.
Source or Destination	Source address of traffic in the inbound direction or destination address of traffic in the outbound direction. The source or destination can be an IP address, security group, or IP address group. IP address: a fixed IPv4/IPv6 address or IPv4/IPv6 CIDR block, for example, 192.168.10.10/32 (IPv4 address), 192.168.1.0/24 (IPv4 CIDR block), or 2407:c080:802:469::/64 (IPv6 CIDR block). Security group: If the selected security group and the current security group are in the same region, the traffic is allowed or denied to the private IP addresses of all instances in the selected security group. For example, if there is instance A in security group A and instance B in security group B, and the inbound rule of security group A allows traffic from security group B, traffic is allowed from instance B to instance A. IP address group: You can add multiple IP addresses with the same security requirements to an IP address group and select this IP address group when you configure a rule.

Default security groups and rules

ECSs provide three security group templates: default, Sys-WebServer, and Sys-FullAccess.

**Table 2** Rules in the default security group
Direction	Action	Type	Protocol & Port	Source/Destination	Description
Inbound	Allow	IPv4	All	Source: default security group (default)	Allows IPv4 instances in the security group to communicate with each other using any protocol over any port.
Inbound	Allow	IPv6	All	Source: default security group (default)	Allows IPv6 instances in the security group to communicate with each other using any protocol over any port.
Outbound	Allow	IPv4	All	Destination: 0.0.0.0/0	Allows all traffic from the instances in the security group to any IPv4 address over any port.
Outbound	Allow	IPv6	All	Destination: ::/0	Allows all traffic from the instances in the security group to any IPv6 address over any port.

**Table 3** Sys-WebServer security group rules
Direction	Action	Type	Protocol & Port	Source/Destination	Description
Inbound	Allow	IPv4	ICMP: All	Source: 0.0.0.0/0	Allows the use of the ping command to test the network connectivity over IPv4 protocols.
Inbound	Allow	IPv4	All	Source: current security group (Sys-WebServer)	Allows instances in the security group to communicate with each other over IPv4 protocols.
Inbound	Allow	IPv4	TCP: 443	Source: 0.0.0.0/0	Allows all IPv4 addresses to access websites deployed on ECSs over HTTPS.
Inbound	Allow	IPv4	TCP: 80	Source: 0.0.0.0/0	Allows all IPv4 addresses to access websites deployed on ECSs over HTTP.
Inbound	Allow	IPv4	TCP: 22	Source: 0.0.0.0/0	Allows all IPv4 addresses to access Linux ECSs over SSH.
Inbound	Allow	IPv4	TCP: 3389	Source: 0.0.0.0/0	Allows all IPv4 addresses to access Windows ECSs through the default Windows remote desktop.
Inbound	Allow	IPv6	All	Source: current security group (Sys-WebServer)	Allows instances in the security group to communicate with each other over IPv6 protocols.
Outbound	Allow	IPv4	All	Destination: 0.0.0.0/0	Allows access from instances in the security group to any IPv4 address over any port.
Outbound	Allow	IPv6	All	Destination: ::/0	Allows access from instances in the security group to any IPv6 address over any port.

**Table 4** Sys-FullAccess security group rules
Direction	Action	Type	Protocol & Port	Source/Destination	Description
Inbound	Allow	IPv4	All	Source: current security group (Sys-FullAccess)	Allows instances in the security group to communicate with each other over IPv4 protocols.
Inbound	Allow	IPv6	All	Source: current security group (Sys-FullAccess)	Allows instances in the security group to communicate with each other over IPv6 protocols.
Inbound	Allow	IPv4	All	Source: 0.0.0.0/0	Allows all inbound data packets to pass through over IPv4 protocols.
Inbound	Allow	IPv6	All	Source address::/0	Allows all inbound data packets to pass through over IPv6 protocols.
Outbound	Allow	IPv4	All	Destination: 0.0.0.0/0	Allows access from instances in the security group to any IPv4 address over any port.
Outbound	Allow	IPv6	All	Destination: ::/0	Allows access from instances in the security group to any IPv6 address over any port.

Security group configuration examples
Learn how to configure security group rules in common scenarios

Security group configuration suggestions:
Instances in a security group deny all external access requests by default, but you can add rules to allow specific requests.

When adding a security group rule, grant the minimum permissions possible. For example, if remote login to an ECS over port 22 is allowed, only allow specific IP addresses to log in to the ECS. Do not use 0.0.0.0/0 (all IP addresses).

FAQs

Which Common Ports Must Be Allowed for ECSs?

Ensure that the rules of the selected security group allow traffic over port 22 (Linux SSH login), port 3389 (Windows remote login), and ICMP (ping).

Learn common ports used by ECSs to determine whether to enable the ports based on site requirements.

Why Cannot an EIP Be Pinged?

To ping the EIP of an ECS, allow ICMP traffic in the security group rules.

If the EIP cannot be pinged after ICMP traffic is allowed, resolve this issue by referring to What Should I Do If an EIP Cannot Be Pinged?

How Do I Allow Access to an ECS?

Ensure the inbound rules of a security group allow incoming traffic over specific ports to an ECS.

On the ECS details page, click the Security Groups tab and then Manage Rule. Next, click the Inbound Rules tab and then Add Rule, select a protocol, and add a port. For details, see Adding a Security Group Rule.

If the access still fails after the ports are allowed, resolve this issue by referring to Why Am I Unable to Connect to a Port on an ECS?

How Do I Configure a Security Group?

On the management console, click the name of an ECS that belongs to the security group. On the Security Groups tab, locate the target security group.

Click Manage Rule to add or modify a rule to allow ports as needed.

Security group examples provide some security group rules for common service scenarios.

For example, ECSs in different security groups can communicate with each other through an internal network, only specified IP addresses are allowed to remotely access ECSs in a security group, and ECSs function as web servers.

Why Is Outbound Access over TCP Port 25 Blocked?

For security reasons, TCP port 25 is disabled in the outbound direction by default.

You can use port 465 supported by the third-party email service provider.
If you need to enable outbound access over TCP port 25 on the ECS for external communications, submit an application.

If you do not intend to deploy email services on the cloud, this constraint does not affect your services.

Parent Topic: Network Configurations

Previous topic: Network Parameters

Next topic: EIP