Updated on 2026-06-04 GMT+08:00

Security Group

Description

  • Security group

    A security group is a logical group that functions similarly to a firewall to control network access. You can define access rules for a security group to protect the ECSs in this group. You can create a custom security group or use the default security group.

    Each security group can have both inbound and outbound rules. You need to specify the source, port, and protocol for each inbound rule and specify the destination, port, and protocol for each outbound rule to control the inbound and outbound traffic to and from the instances in the security group. As shown in Figure 1, you have a VPC (VPC-A) with a subnet (Subnet-A) in region A. An ECS (ECS-A) is running in Subnet-A and associated with security group Sg-A.
    • Security group Sg-A has a custom inbound rule that allows ICMP traffic, so ping requests are allowed from your PC to ECS-A. However, the security group does not have rules that allow SSH traffic, so you cannot remotely log in to ECS-A from your PC.
    • ECS-A has an EIP bound and the outbound rule of Sg-A allows all outbound traffic from ECS-A, so ECS-A can access the Internet.
    Figure 1 Security group architecture
  • Security group rule
    • Each security group can have inbound and outbound rules to control traffic that is allowed to reach or leave the instances associated with the security group.
      • Inbound rules control traffic to the instances in a security group.
      • Outbound rules control traffic from the instances in a security group to access external networks.
    • Security group rules consist of protocols, ports, and source or destination addresses.
      Table 1 Key parameters in a security group rule

      Parameter

      Description

      Action

      Allow or Deny. If the protocol, port, source or destination of the traffic matches a security group rule, traffic will be allowed or denied.

      Priority

      Range: 1 to 100. A smaller value indicates a higher priority.

      Security group rules are matched by priority and then by action. Deny rules take precedence over allow rules. To learn more, see Security Group and Security Group Rule Overview.

      Type

      IPv4 or IPv6.

      Protocol & Port

      Network protocol type and port range.

      • Network protocol: The protocol can be TCP, UDP, ICMP, or GRE.
      • Port range: The value range is from 1 to 65535.

      Source or Destination

      Source address of inbound traffic or destination address of outbound traffic. The source or destination can be an IP address, security group, or IP address group.
      • IP address: a fixed IPv4/IPv6 address or IPv4/IPv6 CIDR block, for example, 192.168.10.10/32 (IPv4 address), 192.168.1.0/24 (IPv4 CIDR block), or 2407:c080:802:469::/64 (IPv6 CIDR block).
      • Security group: In a given region, if security group A allows/denies traffic from or to security group B over a private network, the rule applies to all instances in security group B. For example, if there is an instance in security group A, and its security group allows traffic from security group B, then all instances in group B can access all the instances in group A over a private network.
      • IP address group: You can add multiple IP addresses with the same security requirements to an IP address group and select this IP address group when you configure a rule.
  • Default security groups and rules

    ECSs provide three security group templates: default, Sys-WebServer, and Sys-FullAccess.

    Table 2 Rules in the default security group

    Direction

    Action

    Type

    Protocol & Port

    Source/Destination

    Description

    Inbound

    Allow

    IPv4

    All

    Source: default security group (default)

    Allows IPv4 instances in the security group to communicate with each other using any protocol and port.

    Inbound

    Allow

    IPv6

    All

    Source: default security group (default)

    Allows IPv6 instances in the security group to communicate with each other using any protocol and port.

    Outbound

    Allow

    IPv4

    All

    Destination: 0.0.0.0/0

    Allows all IPv4 traffic from the instances in the security group to any IP address over any port.

    Outbound

    Allow

    IPv6

    All

    Destination: ::/0

    Allows all IPv6 traffic from the instances in the security group to any IP address over any port.

    Table 3 Sys-WebServer security group rules

    Direction

    Action

    Type

    Protocol & Port

    Source/Destination

    Description

    Inbound

    Allow

    IPv4

    ICMP: All

    Source: 0.0.0.0/0

    Allows the use of the ping command to test the network connectivity over IPv4 protocols.

    Inbound

    Allow

    IPv4

    All

    Source: current security group (Sys-WebServer)

    Allows instances in the security group to communicate with each other over IPv4 protocols.

    Inbound

    Allow

    IPv4

    TCP: 443

    Source: 0.0.0.0/0

    Allows all IPv4 addresses to access websites deployed on ECSs over HTTPS.

    Inbound

    Allow

    IPv4

    TCP: 80

    Source: 0.0.0.0/0

    Allows all IPv4 addresses to access websites deployed on ECSs over HTTP.

    Inbound

    Allow

    IPv4

    TCP: 22

    Source: 0.0.0.0/0

    Allows all IPv4 addresses to access Linux ECSs over SSH.

    Inbound

    Allow

    IPv4

    TCP: 3389

    Source: 0.0.0.0/0

    Allows all IPv4 addresses to access Windows ECSs through the default Windows remote desktop.

    Inbound

    Allow

    IPv6

    All

    Source: current security group (Sys-WebServer)

    Allows instances in the security group to communicate with each other over IPv6 protocols.

    Outbound

    Allow

    IPv4

    All

    Destination: 0.0.0.0/0

    Allows access from instances in the security group to any IPv4 address over any port.

    Outbound

    Allow

    IPv6

    All

    Destination: ::/0

    Allows access from instances in the security group to any IPv6 address over any port.

    Table 4 Sys-FullAccess security group rules

    Direction

    Action

    Type

    Protocol & Port

    Source/Destination

    Description

    Inbound

    Allow

    IPv4

    All

    Source: current security group (Sys-FullAccess)

    Allows instances in the security group to communicate with each other over IPv4 protocols.

    Inbound

    Allow

    IPv6

    All

    Source: current security group (Sys-FullAccess)

    Allows instances in the security group to communicate with each other over IPv6 protocols.

    Inbound

    Allow

    IPv4

    All

    Source: 0.0.0.0/0

    Allows all inbound data packets to pass through over IPv4 protocols.

    Inbound

    Allow

    IPv6

    All

    Source: ::/0

    Allows all inbound data packets to pass through over IPv6 protocols.

    Outbound

    Allow

    IPv4

    All

    Destination: 0.0.0.0/0

    Allows access from instances in the security group to any IPv4 address over any port.

    Outbound

    Allow

    IPv6

    All

    Destination: ::/0

    Allows access from instances in the security group to any IPv6 address over any port.

  • Security group configuration examples

    Learn how to configure security group rules in common scenarios

  • Security group configuration suggestions:

    Instances in a security group deny all external access requests by default, but you can add rules to allow specific types of requests.

    When adding a security group rule, grant the minimum required permissions. For example, if remote login to an ECS over port 22 is allowed, only allow specific IP addresses to log in to the ECS. Do not use 0.0.0.0/0 (all IP addresses).

FAQs