Importing and Exporting Security Group Rules
Scenarios
You can configure security group rules in an Excel file and import the rules to a security group. You can also export security group rules to an Excel file.
You can import and export security group rules in the following scenarios:
- If you want to back up security group rules locally, you can export the rules to an Excel file.
- If you want to quickly create or restore security group rules, you can import your security group rule file to the security group.
- If you want to quickly apply the rules of one security group to another, you can export and import existing rules.
- If you want to modify multiple rules of the current security group at a time, you can export and import existing rules.
Notes and Constraints
- The security group rules to be imported must be configured based on the template. Do not add parameters or change existing parameters. Otherwise, the import will fail.
- If you import a security group rule with Source/Destination set to a security group or IP address group, ensure that the group ID is correct. Otherwise, the import will fail.
- Duplicate security group rules will be ignored during import, whether they already exist in the security group or are included in the rules to be imported. As described in Table 1, rules A, B, and C are duplicate rules.
- Rules A and B have the same direction, action, type, protocol & port, source address, and destination address but different priorities.
- Rules A and C have the same direction, priority, action, type, protocol & port, source address, and destination address.
- Do not import two security group rules with the same Direction, Type, Protocol & Port, and Source/Destination, but different Action configurations. Table 2 shows an example.
- If a rule to be imported conflicts with an existing rule in the security group, the import will fail. In this case, rectify the fault as prompted.
- If rules to be imported conflicts with each other, the import will fail. In this case, rectify the fault as prompted.
- If you want to import rules of the security group in one region to another under one account, only rules with both Source and Destination set to IP address can be applied.
- If you want to import rules of the security group in one account to the security group in another account, only rules with both Source and Destination set to IP address can be applied.
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- Click in the upper left corner and choose Networking > Virtual Private Cloud.
The Virtual Private Cloud page is displayed.
- In the navigation pane on the left, choose Access Control > Security Groups.
The security group list is displayed.
- On the security group list, click the name of the target security group.
- Export and import security group rules.
- Click Export Rule to export all rules of the current security group to an Excel file.
- Click Import Rule to import security group rules from an Excel file into the current security group.
Table 3 describes the parameters in the template for importing rules.
Table 3 Template parameters Parameter
Description
Example Value
Direction
The direction in which the security group rule takes effect.- Inbound: Inbound rules control incoming traffic to instances in the security group.
- Outbound: Outbound rules control outgoing traffic from instances in the security group.
Inbound
Priority
The priority value ranges from 1 to 100. The default value is 1 and has the highest priority. The security group rule with a smaller value has a higher priority.
1
Action
The value can be Allow or Deny.- If the Action is set to Allow, access from the source is allowed to ECSs in the security group over specified ports.
- If the Action is set to Deny, access from the source is denied to ECSs in the security group over specified ports.
Security group rules are matched by priority and then by action. Deny rules take precedence over allow rules. For more information, see How Traffic Matches Security Group Rules.
Allow
Protocol & Port
The network protocol used to match traffic in a security group rule. The protocol can be All, TCP, UDP, GRE, or ICMP.
TCP
Destination port used to match traffic in a security group rule. The value can be from 1 to 65535.
Inbound rules control incoming traffic over specific ports to instances in the security group.
Outbound rules control outgoing traffic over specific ports from instances in the security group.
22, or 22-30
Type
Source IP address version. You can select:- IPv4
- IPv6
IPv4
Source
The source in an inbound rule is used to match the IP address or address range of an external request. The source can be:- IP address:
- Single IP address: IP address/mask
Example IPv4 address: 192.168.10.10/32
Example IPv6 address: 2002:50::44/128
- IP address range in CIDR notation: IP address/mask
Example IPv4 address range: 192.168.52.0/24
Example IPv6 address range: 2407:c080:802:469::/64
- All IP addresses
0.0.0.0/0 represents all IPv4 addresses.
::/0 represents all IPv6 addresses.
- Single IP address: IP address/mask
- Security group: The source is from another security group. You can select a security group in the same region under the current account. Instance A is in security group A and instance B is in security group B. If security group A has an inbound rule with Action set to Allow and Source set to security group B, access from instance B is allowed to instance A.
A security group is in the format of Security group name(Security group ID). An example is sg-test(96a8a93f-XXX-d7872990c314).
- IP address group: An IP address group is a collection of one or more IP addresses. You can select an available IP address group. An IP address group can help you manage IP address ranges and IP addresses with same security requirements in an easier way.
A security group is in the format of IP address group name(IP address group ID). An example is ipGroup-test(96a8a93f-XXX-d7872990c314).
sg-test[96a8a93f-XXX-d7872990c314]
Destination
The destination in an outbound rule is used to match the IP address or address range of an internal request. The destination can be:- IP address
- Single IP address: IP address/mask
Example IPv4 address: 192.168.10.10/32
Example IPv6 address: 2002:50::44/128
- IP address range in CIDR notation: IP address/mask
Example IPv4 address range: 192.168.52.0/24
Example IPv6 address range: 2407:c080:802:469::/64
- All IP addresses
0.0.0.0/0 represents all IPv4 addresses.
::/0 represents all IPv6 addresses.
- Single IP address: IP address/mask
- Security group: The destination is from another security group. Instance A is in security group A and instance B is in security group B. If security group A has an outbound rule with Action set to Allow and Destination set to security group B, access from instance A is allowed to instance B.
A security group is in the format of Security group name(Security group ID). An example is sg-test(96a8a93f-XXX-d7872990c314).
- IP address group: An IP address group is a collection of one or more IP addresses. An IP address group can help you manage IP address ranges and IP addresses with same security requirements in an easier way.
A security group is in the format of IP address group name(IP address group ID). An example is ipGroup-test(96a8a93f-XXX-d7872990c314).
sg-test[96a8a93f-XXX-d7872990c314]
Description
Supplementary information about the security group rule. This parameter is optional.
The security group rule description can contain a maximum of 255 characters and cannot contain angle brackets (< or >).
-
Last Modified
The time when the security group was modified.
-
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot