Overview

Updated at: 2025-01-10 11:29

A security group is a virtual firewall that manages the inbound and outbound traffic of Elastic Compute Service (ECS) instances. You can add ECS instances that have the same security requirements and trust each other to the same security group. This allows you to divide instances into security zones and secure cloud resources. This topic describes the features, types, and best practices of security groups. This topic also describes how to manage the security groups.

Features

When you create an ECS instance, you must specify one or more security groups to which the instance is added. The rules of multiple security groups to which an ECS instance belongs are sorted in order. The security group rules are used to allow or reject the inbound or outbound network traffic of the ECS instances.

You can add, modify, or delete a security group rule of a security group. The configuration automatically takes effect on all ECS instances that belong to the security group. A security group rule consists of an authorization object, a destination port, a protocol, an action (allow or deny), and a priority value. You can add inbound and outbound security group rules to a security group. The inbound security group rules are used to manage the inbound traffic of ECS instances that belong to the security group. The outbound security group rules are used to manage the outbound traffic of ECS instances. For more information, see Security group rules.

The security group rules in the security groups to which ECS instances belong apply to the primary elastic network interfaces (ENIs) of the instances. You can specify different security groups for ENIs other than the primary ENI that is associated with an ECS instance that resides in a virtual private cloud (VPC).

When you configure a security group, take note of the following items:

  • A security group takes effect only on the VPC in which the security group resides. If you create an ECS instance in a VPC, you must specify a vSwitch and a security group that reside in the same VPC for the instance.

  • You can add an ECS instance or ENI to at least one or more security groups. For information about the upper limit of security groups to which you can add an ECS instance and an ENI, see the Security group limits section of the "Limits" topic.

  • If you do not specify a security group when you create an ECS instance, the system adds the primary ENI of the instance to the default security group. For more information, see Default security groups.

For example, as shown in the following figure, a VPC contains ECS 1 and ECS 2, and the ENIs of both ECS instances are added to Security Group 1. Security Group 1 is a basic security group. By default, the internal networks of ECS 1 and ECS 2 are interconnected. The internal connectivity policy is not affected by the custom security group rules that you configure. The inbound and outbound traffic of ECS 1 and ECS 2 is managed by the custom security group rules of Security Group 1. Based on the inbound security group rules of Security Group 1, you can use any IP address to ping ECS 1 and ECS 2 in Security Group 1. No outbound security group rules are added to Security Group 1. By default, all outbound traffic is allowed.

image

Security group types

Basic and advanced security groups

Security groups can be classified into basic and advanced security groups, which are suitable for different scenarios based on the feature. You can use both types of security groups free of charge.

  • Basic security group: supports intra-group connectivity. You can add security group rules to a basic security group. Basic security groups contain fewer private IP addresses compared with advanced security groups.

  • Advanced security group: Advanced security groups contain more private IP addresses compared with basic security groups. However, advanced security groups do not allow you to add security group rules that reference other security groups as authorization objects.

When you add an ECS instance to multiple security groups, you can add the ENI that is attached to the instance to security groups only of the same type. We recommend that you select a security group type based on your business requirements. For more information, see Basic security groups and advanced security groups.

Managed security groups and advanced security groups

Security groups are classified into custom security groups and managed security groups based on the operation permission. Both custom security groups and managed security groups can be basic security groups or advanced security groups.

  • Custom security group: You can use your Alibaba Cloud account to create custom security groups in the ECS console. You have the permissions to perform operations on the custom security groups. The default security group is also a custom security group. For more information, see Create a security group.

  • Managed security group: You can create a managed security group for Alibaba Cloud services. You can only view the managed security group. You cannot perform operations on the managed security group. For more information, see Managed security group.

A security group is considered a managed security group if one of the following conditions is met: The value of ServiceManaged is True in the response when you call the DescribeSecurityGroups operation to query information about the security group, or a message similar to This security group is managed by a cloud service and cannot be modified is displayed for the security group in the ECS console.

Best practices

This section describes the best practices for using security groups.

  • Make a plan

    You can configure the name, description, tags, and resource group of a security group based on your business requirements. We recommend that you configure these parameters to help you identify and manage security groups.

  • Use the whitelist

    By default, all access to a security group is denied. You can add a rule to the security group to allow access from specific authorization objects on specific ports.

  • Follow the principle of least privilege when you add security group rules

    For example, if you want to allow connections to be established to port 22 on a Linux instance, we recommend that you add a security group rule to allow access only from specific IP addresses instead of all IP addresses (0.0.0.0/0).

  • Follow the principle of least privilege

    For example, if you do not require intra-group connectivity between the ECS instances in a security group, change the internal access control policy of the security group from intra-group connectivity to internal isolation.

  • Keep the rules in each security group concise

    Add security group rules to security groups based on the purposes of the security groups, and then add ECS instances to the security groups. Adding a large number of security group rules to a single security group increases management complexity. You can perform a health check on a security group to identify redundant security group rules in the security group. For more information, see the Check for Redundant Rules in Security Groups section in the "Manage security group rules" topic.

  • Add instances that serve different purposes to different security groups and separately maintain the rules for each group

    For example, you can add ECS instances that are accessible over the Internet to the same security group and allow access only on specific ports that provide external services, such as ports 80 and 443. By default, access to other ports is denied. To ensure that the ECS instances that are accessible over the Internet do not provide other services, such as MySQL and Redis, we recommend that you deploy internal services on the instances that are inaccessible over the Internet, and then add the instances to another security group.

  • Do not modify security groups that are used in the production environment

    You can clone a security group to the test environment and modify the clone security group. If the ECS instances in the clone security group run as expected after the modifications, modify the rules of the original security group in the production environment.

Operations

The first time you use security groups, we recommend that you perform the following steps:

  1. If you do not use the default security group when you create an ECS instance or the default security group does not meet your business requirements, you must create a separate security group. For more information, see Manage security groups.

  2. Different types of security groups have specific invisible default Resource Access Management (RAM) rules. If the inbound and outbound security group rules of a security group do not meet your business requirements, you must manually add inbound and outbound security group rules to the security group. For more information, see Add Security Group Rules.

  3. If you want to add an ECS instance (primary ENI) or a secondary ENI to a different security group, you can manually add the instance to the different security group. For more information, see Manage ECS instances in security groups and Manage ENIs in security groups.

You can perform the following operations on the security group in the ECS console or by calling API operations.

Use the ECS console
Call API operations

References

  • For information about security group quotas, see the Security group limits section of the "Limits" topic.

  • You can attach multiple ENIs to an ECS instance. For more information, see Overview.

  • You can improve the security of your ECS instances by using security groups or by combining security groups with other methods. For more information, see ECS instance security.

  • On this page (1, M)
  • Features
  • Security group types
  • Best practices
  • Operations
  • References
Feedback
phone Contact Us

Chat now with Alibaba Cloud Customer Service to assist you in finding the right products and services to meet your needs.

alicare alicarealicarealicare