You can add rules to a security group to control inbound and outbound traffic for Elastic Compute Service (ECS) instances in the security group. You can use security group rules in various scenarios, such as to allow or deny specific network traffic, close ports, restrict traffic of specific protocols, and configure access permissions on applications. This topic describes how to add a security group rule in the ECS console.
Background information
Alibaba Cloud provides examples on how to configure security group rules in common scenarios. For more information, see Security groups for different use cases.
This topic is suitable for the following scenarios:
When an application deployed on your ECS instance initiates a request to a network external to the security groups of the instance and the request remains in the waiting state, you must add a security group rule to allow the request.
When applications that are running on ECS instances suffer attacks from some request sources, you can add security group rules to deny access from the request sources.
Before you add security group rules, take note of the following items:
Before you add rules to a basic or advanced security group, take note that the security group contains default rules. For more information, see Basic security groups and advanced security groups.
A security group can contain only a limited number of rules. We recommend that you add the minimum number of rules. For more information, see Security group rules.
Procedure
Go to the security group list page.
Log on to the ECS console.
In the left-side navigation pane, choose .
In the upper-left corner of the top navigation bar, select a region.
Find the security group to which you want to add a rule and click Manage Rules in the Operation column.
Select a direction of security group rules.
If the security group resides in a virtual private cloud (VPC), click the Inbound or Outbound tab.
If the security group resides in the classic network, click the Inbound, Outbound, Internet Ingress, or Internet Egress tab.
Add a security group rule.
Method 1: Quickly add a security group rule
This method is suitable for configuring common TCP rules. Click Quick Add. In the Quick Add dialog box, configure Action and Authorization Object and select one or more ports.
Method 2: Manually add a security group rule
Configure parameters such as Action, Priority, Protocol Type, Port Range, and Authorization Object to add a security group rule. Perform the following steps:
Click Add Rule.
Configure the rule that you want to add to the rule list. For information about how to configure a security group rule, Security group rules.
Click Save in the Actions column.
FAQ
For information about the Protocol Type and Port Range parameters, see Common ports or What is the relationship between protocol types and port ranges in security group rules?
For information about the reasons why services on instances cannot be accessed after the instances are added to security groups, see Why am I unable to access services after I configure a security group?
For information about the reasons why TCP port 80 and TCP port 25 cannot be accessed, see Why am I unable to access TCP port 80? and Why am I unable to access TCP port 25?
For more information about security group rules, see Security FAQ.
References
You can call the following API operations to add security group rules:
AuthorizeSecurityGroupEgress: adds an inbound security group rule.
AuthorizeSecurityGroupEgress: adds an outbound security group rule.