When creating an ECS instance of the VPC network, you can either use the default security group or use other existing security groups in the VPC. A security group is a virtual firewall used to control the inbound and outbound traffic of an ECS instance.
Now you can gain deep insights on ECS and integrate the best practices on the cloud to empower your business on our Academy Day Online Conference in March 5th, 2020 with free ACA Cloud Computing certification exams. Sign up free here now!
Intranet communication
The following are two types of communication methods between ECS instances of the VPC network:
Deny the access of specific IP addresses or ports
You can configure security groups to deny the access of specific IP addresses or ports to an ECS instance.
Allow the remote access of a specific IP address
If you have configured a NAT Gateway or EIP for an ECS instance in a VPC, you can add Allow Windows remote logon and Allow Linux SSH logon to allow Windows remote logon or Linux SSH logon.
Allow access from the Internet to the HTTP/HTTPS service deployed on the ECS instance
If you have deployed a website on an ECS instance in a VPC and configured an EIP or NAT Gateway to provide services, configure Allow access to port 80, Allow access to port 443 and Allow access to port 80 to allow access from the Internet.
For details about the security group rules, you can go to Cases for configuring ECS security groups.
You can add an ECS instance to one or more security groups based on your business needs. An ECS instance can be added to up to five security groups.
A security group controls access to ECS instances. An ECS instance must belong to one or more (up to five) security groups.
Security groups are logically isolated groups of instances that are located within the same region and share the same security requirements while also being mutually accessible. They act as virtual firewalls that provide Stateful Packet Inspection (SPI), also known as dynamic packet filtering. In a security group, security group rules can be used to grant or limit the access of ECS instances to the Internet or local private networks.
Compared with basic security groups, advanced security groups can contain more ECS instances and ENIs, and can manage unlimited private IP addresses. Advanced security groups are applicable to VPC networks, and have a simplified rule adding mechanism. Advanced security groups can be used in scenarios that have higher requirements for O&M efficiency, ECS instance specifications, and computing nodes.
When you create an Alibaba Cloud Elastic Compute Service (ECS) instance, you also create or specify a security group. This security group acts as a firewall controlling what can access your ECS instance. For Linux instances, one of the rules allows SSH (TCP port 22) access. Best practices require that you only allow SSH access from TCP/IP addresses that you control. By only allowing your TCP/IP addresses through the security group (firewall) you reduce the exposure footprint of your ECS instance.
Creating a security group rule for SSH is very easy on the Alibaba Cloud Console. However, keeping that rule up to date with your current TCP/IP address can be a pain. First you must figure out what your public TCP/IP address is, login to the Alibaba Cloud Console, find your security group and then modify the security group with a new rule for your public IP address and finally delete the old rule.
Recently, I have successfully hosted my first three-tier web application, which includes two Elastic Compute Service (ECS) instances, one [ApsaraDB for RDS MySQL] database, a Server Load Balancer, and used Elastic IP and security group to secure them. This is the most common scenario for most applications hosted on the web. Although my system is functioning well, this type of deployment is deficient in terms of cyber security. This is especially true for servers used in production scenarios.
Alibaba Cloud Elastic Compute Service (ECS) provides fast memory and the latest Intel CPUs to help you to power your cloud applications and achieve faster results with low latency. All ECS instances come with Anti-DDoS protection to secure your data and applications from DDoS and Trojan attacks.
Alibaba Cloud protects Alibaba Group's own business, such as Double 11 Global Shopping Festival for 10 years. The accumulated extensive experiences from various and massive security attacks ensure that your business threats and attacks are minimized on the cloud.
Alibaba Cloud offers easy-to-use high-performance virtual machines with data transfer plan starting from $2.50 a month now.
HawkEye: An Efficient Fine-grained Management Solution for Huge Pages
Deploying Your Applications and Websites Easily and Securely on ECS
2,599 posts | 762 followers
FollowAlibaba Clouder - July 19, 2019
ray - April 25, 2024
Guda - October 17, 2018
Alibaba Cloud Community - March 31, 2022
Alibaba Cloud Community - March 23, 2022
Alibaba Clouder - February 25, 2020
2,599 posts | 762 followers
Follow
Managed Security Service
Identify vulnerabilities and improve security management of Alibaba Cloud WAF and Anti-DDoS and with a fully managed security service
Learn More
Security Center
A unified security management system that identifies, analyzes, and notifies you of security threats in real time
Learn MoreMore Posts by Alibaba Clouder
