Help Center/ Virtual Private Cloud/ User Guide/ Access Control/ Security Group/ Managing Security Group Rules/ Importing and Exporting Security Group Rules
Updated on 2025-11-14 GMT+08:00
View PDF
Share

Importing and Exporting Security Group Rules

Scenarios

You can configure security group rules in an Excel file and import the rules to a security group. You can also export security group rules to an Excel file.

You can import and export security group rules in the following scenarios:

  • If you want to back up security group rules locally, you can export the rules to an Excel file.
  • If you want to quickly create or restore security group rules, you can import your security group rule file to the security group.
  • If you want to quickly apply the rules of one security group to another, you can export and import existing rules.
  • If you want to modify multiple rules of a security group at a time, you can export the rules, modify the rules in the Excel file, and import the Excel file again.

You can choose to export all rules or rules whose source or destination is IP addresses.

Constraints

  • The security group rules to be imported must be configured based on the template. Do not add parameters or change existing parameters. Otherwise, the import will fail.
  • If you import a security group rule with Source/Destination set to a security group or IP address group, ensure that the group ID is correct. Otherwise, the import will fail.
  • Duplicate security group rules will be ignored during import, whether they already exist in the security group or are included in the rules to be imported. As described in Table 1, rules A, B, and C are duplicate rules.
    • Rules A and B have the same direction, action, type, protocol & port, source address, and destination address but different priorities.
    • Rules A and C have the same direction, priority, action, type, protocol & port, source address, and destination address.
    Table 1 Duplicate rules

    Rule

    Direction

    Priority

    Action

    Type

    Protocol & Port

    Destination

    Rule A

    Inbound

    1

    Allow

    IPv4

    TCP: 22

    0.0.0.0/0

    Rule B

    Inbound

    5

    Allow

    IPv4

    TCP: 22

    0.0.0.0/0

    Rule C

    Inbound

    1

    Allow

    IPv4

    TCP: 22

    0.0.0.0/0
  • Do not import two security group rules with the same Direction, Type, Protocol & Port, and Source/Destination, but different Action configurations. Table 2 shows an example.
    • If a rule to be imported conflicts with an existing rule in the security group, the import will fail. In this case, rectify the fault as prompted.
    • If rules to be imported conflicts with each other, the import will fail. In this case, rectify the fault as prompted.
    Table 2 Rules with different actions

    Rule

    Direction

    Priority

    Status

    Action

    Type

    Protocol & Port

    Destination

    Rule A

    Inbound

    1

    Enabled

    Allow

    IPv4

    TCP: 22

    0.0.0.0/0

    Rule B

    Inbound

    5

    Enabled

    Deny

    IPv4

    TCP: 22

    0.0.0.0/0
  • Do not import two security group rules with the same Direction, Type, Protocol & Port, and Source/Destination, but different statuses. Table 3 shows an example.
    • If a rule to be imported conflicts with an existing rule in the security group, the import will fail. In this case, rectify the fault as prompted.
    • If rules to be imported conflicts with each other, the import will fail. In this case, rectify the fault as prompted.
    Table 3 Rules with different statuses

    Rule

    Direction

    Priority

    Status

    Action

    Type

    Protocol & Port

    Destination

    Rule A

    Inbound

    1

    Enabled

    Allow

    IPv4

    TCP: 22

    0.0.0.0/0

    Rule B

    Inbound

    5

    Disabled

    Allow

    IPv4

    TCP: 22

    0.0.0.0/0
  • If you want to import rules of the security group in one region to another under the same account, rules with Source or Destination set to an IP address group or another security group cannot be imported.
  • If you want to import rules of the security group in one account to another account, rules with Source or Destination set to an IP address group or another security group cannot be imported.

Procedure

  1. Go to the security group list page.
  2. On the security group list, click the name of the target security group.

    The security group details page is displayed.

  3. Perform the following operations to import or export security group rules.
    • Click Export Rule to export rules of the current security group to an Excel file.
      You can choose to export all rules or rules whose source or destination is IP addresses.
      • Export all rules: Export all inbound and outbound rules of the security group. This function is used to back up rules locally, modify rules in batches, or use the exported rules to quickly create other security groups in the same region and account.
      • Export rules whose source or destination is IP addresses: Only rules whose source or destination is IP addresses are exported. Rules whose source or destination is a security group or IP address group are automatically filtered out. This allows you to import security group rules across regions or accounts. For example, inbound rules in security group Sg-A that use a security group or IP address group as the source will be automatically filtered out during export. For details, see Table 4.
        Table 4 Description of security group (Sg-A) rule export

        Direction

        Priority

        Action

        Type

        Protocol & Port

        Source/Destination

        Export Description

        Inbound

        1

        Allow

        IPv4

        All

        Source: Security group (Sg-A)

        This rule will be filtered out and excluded from export.

        Inbound

        1

        Allow

        IPv6

        All

        Source: Security group (Sg-A)

        This rule will be filtered out and excluded from export.

        Inbound

        1

        Allow

        IPv6

        All

        Source: Security group (Sg-B)

        This rule will be filtered out and excluded from export.

        Inbound

        1

        Allow

        IPv4

        ICMP: All

        Source: IP address (0.0.0.0/0)

        This rule will not be filtered out and will be included in the export.

        Inbound

        1

        Allow

        IPv4

        TCP: 22

        Source: IP address group (ipGroup-A)

        This rule will be filtered out and excluded from export.

        Outbound

        1

        Allow

        IPv4

        All

        Source: IP address (0.0.0.0/0)

        This rule will not be filtered out and will be included in the export.

        Outbound

        1

        Allow

        IPv6

        All

        Source: IP address (::/0)

        This rule will not be filtered out and will be included in the export.
    • Click Import Rule to import security group rules from an Excel file into the current security group.
      Table 5 describes the parameters in the template for importing rules.
      Table 5 Parameters in the security group rule import template

      Parameter

      Description

      Example Value

      Direction
      The direction in which the security group rule takes effect.
      • Inbound: Inbound rules control incoming traffic to instances in the security group.
      • Outbound: Outbound rules control outgoing traffic from instances in the security group.

      Inbound

      Priority

      The priority value ranges from 1 to 100. The default value is 1 and has the highest priority. The security group rule with a smaller value has a higher priority.

      1

      Status
      Status of the security group rule.
      • Disabled: After a security group rule is disabled, it will not work.
      • Enabled: After a security group rule is enabled, it will work.

      Enabled

      Action
      The value can be Allow or Deny.
      • If the Action is set to Allow, traffic is allowed to access the cloud servers in the security group over specified ports.
      • If the Action is set to Deny, traffic is denied to access the cloud servers in the security group over specified ports.

      Security group rules are matched by priority and then by action. Deny rules take precedence over allow rules. For more information, see How Traffic Matches Security Group Rules.

      Allow

      Type
      Source IP address version. You can select:
      • IPv4
      • IPv6

      IPv4

      Protocol & Port

      The network protocol used to match traffic in a security group rule. The protocol can be All, TCP, UDP, GRE, or ICMP.

      TCP

      Port used to match traffic in a security group rule. The value can be from 1 to 65535.

      Inbound rules control incoming traffic over specific ports to instances in the security group.

      Outbound rules control outgoing traffic over specific ports from instances in the security group.

      22, 22-30

      Source
      The source in an inbound rule is used to match the IP address or address range of an external request. The source can be:
      • IP address:
        • Single IP address: IP address/mask

          Example IPv4 address: 192.168.10.10/32

          Example IPv6 address: 2002:50::44/128

        • IP address range in CIDR notation: IP address/mask

          Example IPv4 address range: 192.168.52.0/24

          Example IPv6 address range: 2407:c080:802:469::/64

        • All IP addresses

          0.0.0.0/0 represents all IPv4 addresses.

          ::/0 represents all IPv6 addresses.

      • Security group: The source is from another security group. You can select a security group in the same region under the current account. Instance A is in security group A and instance B is in security group B. If security group A has an inbound rule with Action set to Allow and Source set to security group B, access from instance B is allowed to instance A.

        A security group is in the format of Security group name(Security group ID). An example is sg-test(96a8a93f-XXX-d7872990c314).

      • IP address group: An IP address group is a collection of one or more IP addresses. You can select an available IP address group. An IP address group can help you manage IP address ranges and IP addresses with same security requirements in an easier way.

        A security group is in the format of IP address group name(IP address group ID). An example is ipGroup-test(96a8a93f-XXX-d7872990c314).

      sg-test[96a8a93f-XXX-d7872990c314]

      Destination
      The destination in an outbound rule is used to match the IP address or address range of an internal request. The destination can be:
      • IP address
        • Single IP address: IP address/mask

          Example IPv4 address: 192.168.10.10/32

          Example IPv6 address: 2002:50::44/128

        • IP address range in CIDR notation: IP address/mask

          Example IPv4 address range: 192.168.52.0/24

          Example IPv6 address range: 2407:c080:802:469::/64

        • Any IP addresses

          0.0.0.0/0 represents all IPv4 addresses.

          ::/0 represents all IPv6 addresses.

      • Security group: The destination is from another security group. Instance A is in security group A and instance B is in security group B. If security group A has an outbound rule with Action set to Allow and Destination set to security group B, access from instance A is allowed to instance B.

        A security group is in the format of Security group name(Security group ID). An example is sg-test(96a8a93f-XXX-d7872990c314).

      • IP address group: An IP address group is a collection of one or more IP addresses. An IP address group can help you manage IP address ranges and IP addresses with same security requirements in an easier way.

        A security group is in the format of IP address group name(IP address group ID). An example is ipGroup-test(96a8a93f-XXX-d7872990c314).

      sg-test[96a8a93f-XXX-d7872990c314]

      Description

      (Optional) Supplementary information about the security group rule.

      The security group rule description can contain a maximum of 255 characters and cannot contain angle brackets (< or >).

      -
Parent Topic: Managing Security Group Rules