Create a security group, clone a security group, modify a security group, query a security group, and delete a security group - Elastic Compute Service

A security group is a virtual firewall that manages inbound and outbound traffic of Elastic Compute Service (ECS) instances. This facilitates network isolation and connectivity. This topic describes how to create, query, modify, or delete security groups.

Usage notes

You are familiar with the capabilities and usage recommendations of security groups. For more information, see Overview.
Security groups are classified into basic and advanced security groups. The two types of security groups differ in terms of capacity, internal access control policy of a security group, whether a security group can be added as the authorization object, and access control rules. For more information, see Basic security groups and advanced security groups.
For information about the limits on security groups and prefix lists, see the Security group limits section of the "Limits" topic.

Create a security group

If you did not create custom security groups in the selected region when you created an ECS instance, a default security group is automatically created. If you want to add an ECS instance to a custom security group, you must manually create the security group.
By default, the internal connectivity policy of a basic security group is intra-group interworking. You can modify the internal connectivity policy. For more information, see Modify the internal access control policy of a basic security group.

Use the ECS console

Go to the Security Groups page.
1. Log on to the ECS console.
2. In the left-side navigation pane, choose Network & Security > Security Groups.
3. In the top navigation bar, select the region and resource group to which the resource belongs.
Click Create Security Group.
In the Basic Information section, configure the basic information about the security group.
1. Configure the security group parameters to facilitate identification of the security group that you want to create. The parameters include the security group name, description, resource group, and tags.
2. Specify a network. You can select the classic network or a virtual private cloud (VPC). For more information, see Network types.
3. Specify the type of the security group. You can select the basic or advanced security group type. For more information, see Basic security groups and advanced security groups.
In the Access Rule section, configure security group rules.
By default, basic security group rules are configured in the security group. To add custom security group rules, perform the following steps. For more information, see Add a security group rule.
1. Click the Inbound or Outbound tab based on the direction of the security group rules that you want to create.
2. Click Add Rule.
3. Configure custom security group rules. For more information about security group rules, see Security group rules.
Click Create Security Group.
After you create the security group, you can view the security group on the security group list page. For more information, see Search for security groups.

Call API operations

You can call the CreateSecurityGroup operation to create a security group. For more information, see CreateSecurityGroup.

Clone a security group

You can clone security groups to quickly create identical security groups across regions and network types. The clone operation is suitable for scenarios such as when you need to copy a large number of security group rules across regions and back up a large number of security group rules.

Before you clone a security group from the classic network to a VPC, make sure that at least one VPC is available in the destination region. For more information, see Create and manage a VPC.

You may need to clone a security group in the following scenarios:

You create a security group named SG1 in Region A and you want to apply the same rules as those of SG1 to instances in Region B. You can clone SG1 to Region B without the need to create a new security group.
You create a security group named SG2 in the classic network and you want to apply the same rules as those of SG2 to instances that reside in a VPC. You can clone SG2 and select VPC as the network type for the clone security group in the Clone dialog box.
Before you apply new security group rules to an ECS instance on which an application is running, you can clone the current security groups of the instance to back up security group rules.

Important

By default, a clone security group contains only the security group rules of the original security group. The ECS instances and elastic network interfaces (ENIs) that are associated with the original security group are not cloned.

Use the ECS console

In the left-side navigation pane, choose Network & Security > Security Groups. On the security group list page, find the security group that you want to clone and click Clone Security Group in the Operation column.
In the Clone Security Group dialog box, configure the clone security group.
- Destination Region: Select a region for the clone security group.
- Security Group Name: Specify a name for the clone security group.
- VPC ID: Select a network type for the clone security group. You can select Classic Network or a VPC ID. If no VPC is available, click Create a VPC to go to the VPC console to create a VPC.
- Retention Rule: Select whether to retain all rules of the original security group. If you select the check box, all rules of the original security group are cloned and rule priorities that are higher than 100 are reset to 100. Otherwise, the rules are discarded and removed from the clone security group.
- Description: Specify a description for the clone security group.
- Copy Tags of Current Security Group: Specify whether to copy the tags of the original security group to the clone security group.
Click Confirm.
Note
After the security group is cloned, the Clone Security Group dialog box closes. You can view the clone security group in the destination region on the Security group page.

After you clone a security group, you can perform the following operations:

Add cloud resources, such as ECS instances and ENIs, to the clone security group. For more information, see Manage resources associated with security groups.
Modify the rules or access control policies of the clone security group based on your business requirements to make sure that the security group adapts to the new network environment and security policies. For more information, see Modify a security group rule and Modify the internal access control policy of a basic security group.

Modify a security group

After you create a security group, you can modify the name, description, and tags of the security group based on your business requirements.

Use the ECS console

In the left-side navigation pane, choose Network & Security > Security Groups. On the security group list page, find the security group that you want to modify.
- Modify the name and description of a security group
  1. Move the pointer over the security group name in the Security Group ID/Name column or the description in the Description column, and then click the icon.
  2. In the dialog box that appears, enter a new name or description and click Confirm.
    Note
    Security group name: The new name must be 2 to 128 characters in length and cannot start with a special character or digit. The name can contain letters, digits, periods (.), underscores (_), hyphens (-), and colons (:).
    Description: The new description must be 2 to 256 characters in length and cannot start with http:// or https://.
- Modify the tags of a security group
  Tags can be used to identify resources with the same characteristics for easy search and management, such as security groups that belong to the same organization or that serve the same purpose. For information about tags, see Tags.
  1. Modify the tags of a security group based on your business requirements.
    - If no tags are added to the security group, move the pointer over the icon in the Tag column and click Edit.
    - If tags are added to the security group, move the pointer over the icon in the Tag column and click Edit.
  2. In the Configure Tags dialog box, select or create tags. Then, click OK.
    Note
    After tags are added to your security groups, you can filter the security groups by tag to perform different operations. For example, you can add ECS instances to security groups that have a specific set of tags or add rules to security groups that have a different set of tags.

Call API operations

You can call the ModifySecurityGroupAttribute operation to modify the name or description of a security group. For more information, see ModifySecurityGroupAttribute.

Search for a security group

After you create a security group, you can query the security group by security group name, security group ID, or VPC ID.

Use the ECS console

In the left-side navigation pane, choose Network & Security > Security Groups. On the security group list page, enter the security group name, security group ID, or VPC ID of a security group that you want to query in the Intelligent Match field and then click the icon to search for a security group.

Note

You can select Security Group Name or Security Group ID and specify a security group name or ID to perform an exact search. You can also select VPC ID and enter a VPC ID to query all security groups in a specific VPC.

Call API operations

You can call the DescribeSecurityGroups operation to query one or more security groups. For more information, see DescribeSecurityGroups.

Delete a security group

You can delete security groups that you no longer require. When a security group is deleted, the rules in the security group are also deleted.

You cannot delete a security group in the following scenarios:

The security group that you want to delete does not contain ECS instances or ENIs. If the security group contains ECS instances or ENIs, you cannot delete the security group. Move the ECS instances or ENIs out of the security group before you can delete the security group. For more information, see Manage ECS instances in a security group or Manage ENIs in a security group.
The security group that you want to delete is not referenced as an authorization object by security group rules in other security groups. If the security group is referenced as an authorization object by security group rules in other security groups, you cannot delete the security group. Delete the security group rules before you delete the security group. For more information, see Delete a security group rule.
If deletion protection is enabled for a security group, you cannot delete the security group.
A security group is enabled with the deletion protection feature if one of the following conditions is met: InvalidOperation.DeletionProtection is returned when you call the DeleteSecurityGroup operation to delete the security group, or a message similar to Deletion Protection is displayed when you delete the security group in the ECS console. When you create a Container Service for Kubernetes (ACK) cluster, the deletion protection feature is enabled for an associated security group to prevent accidental deletion. You cannot manually disable the deletion protection feature for the security group. The deletion protection feature can be automatically disabled only after the ACK cluster is deleted. For more information, see Disable deletion protection for a security group.

Use the ECS console

In the left-side navigation pane, choose Network & Security > Security Groups. On the security group list page, find one or more security groups that you want to delete. Use one of the following methods to delete the security groups.
- To delete a single security group, find the security group and click Delete in the Operation column.
- To delete one or more security groups at a time, select the security groups and click Batch Delete in the lower part of the page.
In the Delete Security Group message, confirm the information and click Confirm.
If the security group is not associated with ECS instances or ENIs, and the Delete Security Group dialog box still prompts that the security group cannot be deleted, you can click Force-delete.

Call API operations

You can call the DeleteSecurityGroup operation to delete a security group. For more information, see DeleteSecurityGroup.

FAQ and best practices for security groups

For information about security group configurations, security group rules, inaccessible ECS instances, host penalties and unblocking procedures, and resource quota management, see Security FAQ.
For information about how to configure the Protocol Type and Port Range parameters, see Common ports and Change the default port used by an instance to accept connections.
You can add cloud resources, such as ECS instances or ENIs, to a new security group. For more information, see Manage ECS instances in security groups and Manage ENIs in security groups.
For information about how to modify the internal access control policy of a security group, see Modify the internal access control policy of a basic security group.
You can modify the tag values of multiple cloud resources at a time in the OOS console. For more information, see CloudOps Orchestration Service (OOS).
Best practices and use cases for configuring security group rules:
If you enable a firewall for an ECS instance and configure security group rules to block external access, you may be unable to connect to the instance. Best practices for enabling and disabling the system firewall:
- Manage the system firewall of a Windows instance
- Enable or disable the system firewall on a Linux ECS instance
Other best practices: