Manage ECS instances in security groups to control inbound and outbound traffic - Elastic Compute Service

A security group acts as a virtual firewall that can control inbound and outbound traffic for Elastic Compute Service (ECS) instances. You can add an ECS instance to one or more security groups based on your business requirements. You can also change the security groups to which an instance belongs.

Limits

An ECS instance must belong to at least one security group. By default, an ECS instance can be added to up to five security groups. For more information, see the Security group limits section of the "Limits" topic.
An ECS instance and the security groups to which you want to add the instance must use the same network type. If the ECS instance and the security groups all use the Virtual Private Cloud (VPC) network type, they must belong to the same VPC.
Security groups are classified into basic and advanced security groups. Each ECS instance can be added to multiple security groups only of the same type. For more information, see Basic security groups and advanced security groups.

Add an ECS instance to or remove an ECS instance from security groups or replace the security groups of an ECS instance

If the security groups of an ECS instance do not meet your business requirements, you can add the instance to or remove the instance from specific security groups or replace the security groups of the instance.

Manage the security groups of an existing ECS instance

Log on to the ECS console.
In the left-side navigation pane, choose Instances & Images > Instances.
In the top navigation bar, select the region and resource group to which the resource belongs.
On the Instance page, find one or more ECS instances that you want to manage, and add the instances to or remove the instances from specific security groups or replace the security groups of the instances based on your business requirements.
- Manage the security groups of a single ECS instance
  Find the ECS instance that you want to manage and choose > Network and Security Group > Modify Security Group in the Actions column. Then, follow the on-screen instructions to perform subsequent operations.
- Manage the security groups of multiple ECS instances
  Find the ECS instances that you want to manage and choose More > Network and Security Group > Add to Security Group, Remove from Security Group, or Replace Security Groups in the lower part of the page. Then, follow the on-screen instructions to perform subsequent operations.

Add an ECS instance to security groups when you create the instance

When you create an ECS instance, you can add the instance to one or more security groups. For more information, see Create an instance on the Custom Launch tab.

Add ECS instances to or remove ECS instances from a security group

Log on to the ECS console.
In the left-side navigation pane, choose Network & Security > Security Groups.
In the top navigation bar, select the region and resource group to which the resource belongs.
Find the security group that you want to manage and choose > Manage Instances in the Operation column.
On the ECS Instances tab, add ECS instances to or remove ECS instances from the security group as prompted.

Use the default security group when you create an ECS instance in the ECS console

If you create an ECS instance in the ECS console and no security groups are available, the system creates a default security group. In this case, you can select the IPv4 ports and protocols that you want to open in the default security group based on your business requirements.

For information about how to create an ECS instance, see Create an instance on the Custom Launch tab.

Attributes of default security groups

The following section describes the attributes of each default security group.

Security group type: basic security group.
Network type: same as the network type of the created ECS instance.
Default security group rules:
- The security group rules have a priority of 100.
  Note
  The default security group rules that are created before May 27, 2020 have a priority of 110.
- Rule description:
  - Outbound: By default, all outbound access is allowed. All outbound traffic from ECS instances in the default security group is allowed.
  - Inbound: By default, only inbound ICMP access and inbound access on port 22 and port 3389 are allowed. You can specify whether to allow inbound access on HTTP port 80 and HTTPS port 443. If you use ECS instances to build websites, you must allow access on HTTP port 80 and HTTPS port 443.

Default security groups displayed on the Security group page

If a security group is displayed on the Security group page in the ECS console and has a description similar to System created security group, the security group is a default security group.

You can add or modify security group rules in addition to the default security group rules to control inbound and outbound traffic and manage the association between the default security group and instances and elastic network interfaces (ENIs) in a more fine-grained manner.
If the default security group rules do not meet your business requirements, you can create a custom security group, configure new security group rules, and then associate the rules with ECS instances or ENIs. For more information, see Create a security group.