Help Center/ Virtual Private Cloud/ FAQs/ Security/ Why Are My Security Group Rules Not Working?
Updated on 2024-10-15 GMT+08:00

Why Are My Security Group Rules Not Working?

Symptom

After a security group rule is configured for an instance (such as an ECS), the rule does not work. For example, although a security group rule is added to allow a specific IP address to access instances in the security group, the access still fails.

Background

A VPC is a private network on the cloud. You can configure security groups and network ACL rules to ensure the security of instances, such as ECSs, databases, and containers, running in a VPC.

  • A security group protects the instances in it.
  • A network ACL protects the entire subnet. After a subnet is associated with a network ACL, all instances in the subnet are protected by the network ACL.

In addition to the access control provided by the VPC service, you can configure the cloud firewalls to further improve the instance security. Figure 1 shows how they work together.

Figure 1 Controlling access to a VPC

If your security group rules are not working, they may be configured wrong, or there may be conflicting rules.

Troubleshooting

The issues here are described in order of how likely they are to occur.

Troubleshoot the issue by ruling out the causes described here, one by one.

Figure 2 Troubleshooting
Table 1 Troubleshooting

Possible Cause

Solution

Improper security group rule configurations

Incorrect Security Group Rule Configurations

Conflicts between network ACL rules and security group rules

Conflicts Between Network ACL Rules and Security Group Rules

Port access denied by a firewall

Port Access Denied by a Firewall

Network disconnected

Network Disconnectivity Between VPCs

Incorrect Security Group Rule Configurations

If security group rules are improperly configured, instances cannot be protected. Check the security group rules based on the following causes:

  1. The wrong direction is configured.
    A security group has inbound and outbound rules to control traffic that is allowed to reach or leave the instances associated with the security group.
    • Inbound rules control the incoming traffic to the instances in a security group.
    • Outbound rules control traffic from the instances in a security group for accessing external networks.
  2. The wrong protocol is configured.

    The protocols that can be used to filter traffic can be TCP, UDP, ICMP, or GRE. Select a valid protocol for the security group rule.

  3. The configured ports are high-risk ports that are blocked by carriers. These ports cannot be accessed in restricted regions. In this case, change the ports to common ports.

    For details about common ports and risky ports, see Common Ports Used by ECSs.

  4. The port required by the service is not opened.

    After allowing traffic over a port in a security group rule, you need to ensure that the port used by the instance (such as an ECS) is also opened.

    Check whether the ECS port is opened and whether the configuration takes effect by referring to section "Verifying Security Group Rules" in Adding a Security Group Rule.

After caused are identified, you can add a security group rule or modify a security group rule to select the correct direction, protocol, and open the ports.

Conflicts Between Network ACL Rules and Security Group Rules

Security groups protect instances (such as ECSs), while network ACLs protect subnets. If a network ACL rule conflicts with a security group rule, the network ACL rule takes precedence over the security group rule. As a result, the security group rule may not be applied.

For example, if the inbound rule of your security group allows access over port 80 but the network ACL rule denies access over the port, the traffic preferentially matches the network ACL rule.

You can add a network ACL rule or modify a network ACL rule to allow traffic from the corresponding protocol port.

Port Access Denied by a Firewall

Both security groups and firewalls protect instances (such as ECSs). Although access to a port is allowed by a security group rule, the ECS firewall may deny the access to the port. In this case, you need to disable the firewall or configure an exception port on the firewall.

For details, see Disabling a Windows ECS Firewall and Adding a Port Exception on a Windows ECS Firewall or Disabling a Linux ECS Firewall and Adding a Port Exception on a Linux ECS Firewall.

Network Disconnectivity Between VPCs

A security group works only when the network communication is normal. If instances are associated with the same security group but in different VPCs, the instances cannot communicate with each other.

In this case, you can use a VPC peering connection to connect the VPCs so that security groups can control traffic from and to the instances in different VPCs. For details about VPC connectivity, see Application Scenarios.

Submitting a Service Ticket

If the problem persists, submit a service ticket.