ECS Security Groups
Background
You can configure a security group for an ECS to improve security. Security groups make it easier to adjust access control rules of your ECSs. This section describes the concept of security groups and how to set security group rules.
Overview and Recommendations
A security group is a collection of access control rules for ECSs that have the same security protection requirements and that are mutually trusted. After a security group is created, you can create various access rules for the security group, these rules will apply to all ECSs added to this security group.
You can also customize a security group or use the default one. The system provides a default security group for you, which permits all outbound traffic and denies inbound traffic. ECSs in a security group are accessible to each other. For details about the default security group, see Default Security Groups and Rules.
Security groups also have usage constraints. For details, see Constraints on Using Security Groups. Security groups are just like a whitelist. You are advised to open and expose the minimum number of ports, grant the minimum permissions possible, and assign as few public IP addresses as possible. For more information, see Recommendations.
Security Group Creation Process
- Log in to the management console.
- Click
in the upper left corner and select the desired region and project. - Click
. Under Networking, click Virtual Private Cloud. - In the navigation pane on the left, choose Access Control > Security Groups. Create a security group or click Manage Rules in the Operation column to manage rules. For details, see Configuring Security Group Rules. For details about common ECS ports and their descriptions, see Common ECS Ports. For details about how to enable ports in a security group based on scenarios, see Security Group Examples.
Security Group Operations
- When creating a security group, configure the initial rules for the security group. After the configuration is complete, click Create Now. Wait for a while, and the security group will be displayed in the security group list. For details, see Creating a Security Group.
- You can clone, modify, or delete a security group.
- If the security group you created does not meet your requirements, you can modify its inbound and outbound rules. After the rules are configured, click OK. For details, see Configuring Security Group Rules. After the security group rules are configured, you can check whether the security group rules take effect.
- You can associate an ECS with a security group on the Security Groups page. For details, see Adding an Instance to or Removing an Instance from a Security Group.
Tips
When adding a security group rule, grant the minimum permissions possible. For example, if remote login to an ECS over port 22 is allowed, only allow specific IP addresses to log in to the ECS. Do not use 0.0.0.0/0 (all IP addresses).
Helpful Links
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
