Help Center/ Virtual Private Cloud/ FAQs/ Security/ Why Are My Security Group Rules Not Working?

Updated on 2024-10-15 GMT+08:00

View PDF

Why Are My Security Group Rules Not Working?

Symptom

After a security group rule is configured for an instance (such as an ECS), the rule does not work. For example, although a security group rule is added to allow a specific IP address to access instances in the security group, the access still fails.

Background

A VPC is a private network on the cloud. You can configure security groups and network ACL rules to ensure the security of instances, such as ECSs, databases, and containers, running in a VPC.

A security group protects the instances in it.
A network ACL protects the entire subnet. After a subnet is associated with a network ACL, all instances in the subnet are protected by the network ACL.

In addition to the access control provided by the VPC service, you can configure the cloud firewalls to further improve the instance security. Figure 1 shows how they work together.

Figure 1 Controlling access to a VPC

If your security group rules are not working, they may be configured wrong, or there may be conflicting rules.

Troubleshooting

The issues here are described in order of how likely they are to occur.

Troubleshoot the issue by ruling out the causes described here, one by one.

Figure 2 Troubleshooting

**Table 1** Troubleshooting
Possible Cause	Solution
Improper security group rule configurations	Incorrect Security Group Rule Configurations
Conflicts between network ACL rules and security group rules	Conflicts Between Network ACL Rules and Security Group Rules
Port access denied by a firewall	Port Access Denied by a Firewall
Network disconnected	Network Disconnectivity Between VPCs

Incorrect Security Group Rule Configurations

If security group rules are improperly configured, instances cannot be protected. Check the security group rules based on the following causes:

The wrong direction is configured.
A security group has inbound and outbound rules to control traffic that is allowed to reach or leave the instances associated with the security group.
- Inbound rules control the incoming traffic to the instances in a security group.
- Outbound rules control traffic from the instances in a security group for accessing external networks.
The wrong protocol is configured.
The protocols that can be used to filter traffic can be TCP, UDP, ICMP, or GRE. Select a valid protocol for the security group rule.
The configured ports are high-risk ports that are blocked by carriers. These ports cannot be accessed in restricted regions. In this case, change the ports to common ports.
For details about common ports and risky ports, see Common Ports Used by ECSs.
The port required by the service is not opened.
After allowing traffic over a port in a security group rule, you need to ensure that the port used by the instance (such as an ECS) is also opened.

Check whether the ECS port is opened and whether the configuration takes effect by referring to section "Verifying Security Group Rules" in Adding a Security Group Rule.

After caused are identified, you can add a security group rule or modify a security group rule to select the correct direction, protocol, and open the ports.

Conflicts Between Network ACL Rules and Security Group Rules

Security groups protect instances (such as ECSs), while network ACLs protect subnets. If a network ACL rule conflicts with a security group rule, the network ACL rule takes precedence over the security group rule. As a result, the security group rule may not be applied.

For example, if the inbound rule of your security group allows access over port 80 but the network ACL rule denies access over the port, the traffic preferentially matches the network ACL rule.

You can add a network ACL rule or modify a network ACL rule to allow traffic from the corresponding protocol port.

Port Access Denied by a Firewall

Both security groups and firewalls protect instances (such as ECSs). Although access to a port is allowed by a security group rule, the ECS firewall may deny the access to the port. In this case, you need to disable the firewall or configure an exception port on the firewall.

For details, see Disabling a Windows ECS Firewall and Adding a Port Exception on a Windows ECS Firewall or Disabling a Linux ECS Firewall and Adding a Port Exception on a Linux ECS Firewall.

Network Disconnectivity Between VPCs

A security group works only when the network communication is normal. If instances are associated with the same security group but in different VPCs, the instances cannot communicate with each other.

In this case, you can use a VPC peering connection to connect the VPCs so that security groups can control traffic from and to the instances in different VPCs. For details about VPC connectivity, see Application Scenarios.

Submitting a Service Ticket

If the problem persists, submit a service ticket.

Parent topic: Security

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot