You can use security group rules to manage inbound and outbound traffic of Elastic Compute Service (ECS) instances. Security group rules are suitable for various scenarios, such as to allow or deny specific network traffic, close unnecessary ports, restrict traffic of specific protocols, and configure access permissions on applications. This topic describes how to add, modify, query, delete, import, and export security group rules.
Instructions
Before you manage security group rules, take note of the following items:
You can configure inbound rules for a security group to control traffic to ECS instances in the security group and outbound rules to control traffic from the instances. The rules of multiple security groups to which an ECS instance belongs are sorted in order. The security group rules are used to allow or reject the inbound or outbound network traffic of the ECS instance.
For more information about security group capabilities and usage suggestions, see Overview.
In addition to custom security group rules, security groups contain default access control rules that take effect but are invisible. For more information, see Basic security groups and advanced security groups.
For information about the composition of a security group rule and sorting policy of security group rules, see Security group rules.
A security group can contain only a limited number of rules. We recommend that you add the minimum number of rules. For more information, see the Security group limits section in the "Limits" topic.
Scenarios
If your ECS instance needs to provide external services, you can add inbound security group rules that allow inbound access.
When your ECS instance is under attacks, you can add inbound security group rules to deny inbound access.
If you want the ECS instance to actively connect to external networks, you must determine whether to add outbound security group rules that allow outbound access based on the security group type and internal connectivity policy.
If you no longer want to control outbound or inbound traffic, you can delete security group rules in the corresponding direction.
If you want to quickly copy rules in a security group to other security groups, you can export and import security group rules. For more information, see the Import and export security group rules section of this topic.
For information about more scenarios for which security groups are suitable, see Security groups for different use cases.
Add a security group rule
A security group rule is defined by attributes such as the action, priority, protocol type, port range, and authorization object. If traffic matches the authorization object, port range, and protocol type of a security group rule, the traffic matches the security group rule. Then, the system determines whether the traffic is allowed based on the priority and action defined in the security group rule. If traffic does not match a security group rule, the default security group rule is used.
Authorization object: the source of traffic for inbound rules or the destination of traffic for outbound rules. You can configure multiple IP addresses, security groups, and prefix lists.
If you specify security groups and prefix lists as authorization objects in a security group rule, the security group rule takes effect on all IP addresses in the specified security groups and prefix lists.
If you want to allow resources in different security groups to communicate with each other, you must configure security group rules to allow mutual access between the security groups. To allow access over the internal network, you must specify security groups as authorization objects, instead of CIDR blocks.
By default, no inbound security group rules allow access to the internal network for ECS instances that reside in the classic network. For security reasons, we recommend that you do not enable access based on CIDR blocks.
Port range: the ports used to match traffic. For more information, see Common ports.
Protocol type: the protocol type of traffic.
TCP is mainly suitable for applications that require high reliability, such as web browsing, e-mail transmission, remote logon, and file uploading and downloading.
UDP is mainly suitable for applications that have higher requirements for speed than for accuracy, such as online games and video conferencing.
Internet Control Message Protocol (ICMP) is mainly used to transmit control information between network devices in scenarios, such as the use of ping commands and transmission of error reports and diagnostic information.
Generic Routing Encapsulation (GRE) is mainly suitable for applications that require high security and whose data is transmitted across different networks, such as IP over IP.
Priority: the priority of the matching traffic. A value of 1 indicates the highest priority.
For rules that have different priorities, traffic is matched against the rule that has a higher priority. If the rule that has a higher priority matches the traffic, the action specified in the rule is executed on the traffic, and the rule that has a lower priority is not applied to the traffic.
For rules that have the same priority but different actions, the deny rule is applied. If the deny rule does not match traffic, the allow rule is applied.
Action: specifies whether to allow or reject traffic.
Make sure that the applications corresponding to the ports specified in a security group rule are started and the ports are configured to listen on 0.0.0.0. For information about how to view the current port status, see the Check the status of the service and the listening status of the port of the service section of the "What do I do if I cannot access a service deployed on an instance?" topic.
Use the ECS console
Log on to the ECS console.
In the left-side navigation pane, choose .
In the top navigation bar, select the region and resource group to which the resource belongs.
On the security group list page, find the security group that you want to manage and click Manage Rules in the Operation column.
Method 1: Quickly add a security group rule
This method is suitable for configuring common TCP rules. Click Quick Add. In the Quick Add dialog box, configure Action and Authorization Object and select one or more ports.
If the port range in the Quick Add dialog box does not include the ports that you want to allow or deny, you can select a port to create a security group rule and modify the port range of the rule. You can also use Method 2: Manually add a security group rule to specify the required ports.
Method 2: Manually add a security group rule
Configure parameters such as Action, Priority, Protocol Type, Port Range, and Authorization Object to add a security group rule. Perform the following steps:
Click Add Rule.
In the rule list, configure the new security group rule and click Save in the Actions column.
For information about how to configure a security group rule, Security group rules.
Call API operations
You can use quintuple rules to control the inbound and outbound traffic of ECS instances. A quintuple rule includes the source IP address, source port, destination IP address, destination port, and protocol type. Quintuple rules are fully compatible with existing security group rules. You can call API operations to configure security group quintuple rules. For more information, see the Security group trituple and quintuple rules section of the "Security group rules" topic.
Call the AuthorizeSecurityGroup operation to add an inbound security group rule.
Call the AuthorizeSecurityGroupEgress operation to add an outbound security group rule.
Modify a security group rule
After you modify security group rules, the new security group rules immediately take effect. You may need to monitor network traffic and network connections to ensure that the modified security group rules meet your business requirements and help ensure network security. For more information, see What is CloudMonitor?
Use the ECS console
In the left-side navigation pane, choose . On the security group list page, find the security group whose security group rules you want to modify and click Manage Rules in the Operation column.
Find the security group rule that you want to modify and click Edit in the Actions column. Modify the rule and click Save.
Call API operations
Call the ModifySecurityGroupRule operation to modify an inbound security group rule.
Call the ModifySecurityGroupEgressRule operation to modify an outbound security group rule.
Query security group rules
You can perform health checks on security groups to identify redundant rules. This helps simplify security group configurations, reduce administrative workloads, facilitate network management, and mitigate risks posed by security vulnerabilities.
Use the ECS console
Method 1: View the rules of a single security group
In the left-side navigation pane, choose . On the security group list page, find the security group whose security group rules you want to view and click Manage Rules in the Operation column.
Click the Inbound or Outbound tab based on the type of rule that you want to view.
NoteIn the search box above the rule list, enter ports or authorization objects to search for security group rules.
Method 1: View all rules in multiple security groups to which an ECS instance is added
In the left-side navigation pane, choose . Find the instance on which you want to view security group rules and click the instance ID to go to the instance details page.
On the Security Groups tab, view all security groups to which the instance is added.
Click Manage Rules in the Operation column that corresponds to each security group to view rules in all security groups.
Call an API operation
Call the DescribeSecurityGroupAttribute operation to query one or more security group rules.
Delete a security group rule
Before you delete security group rules, make sure that you understand the impacts of this deletion operation to prevent unnecessary network security issues caused by accidental deletions of security group rules. If you want to use a deleted security group rule, create an identical rule.
Use the ECS console
In the left-side navigation pane, choose . On the security group list page, find the security group whose security group rules you want to delete and click Manage Rules in the Operation column.
Find the security group rule that you want to delete and click Delete in the Actions column.
In the Delete Security Group Rule message, confirm that the rule information is correct and click OK.
Call API operations
Call the RevokeSecurityGroup operation to delete one or more inbound security group rules.
Call the RevokeSecurityGroupEgress operation to delete one or more outbound security group rules.
Check for redundant rules in security groups
You can perform a health check on a security group to identify redundant rules in the security group. If rule A has a lower priority than rule B and rule B contains all conditions of rule A, rule A is considered to be a redundant rule. If a redundant rule exists, we recommend that you delete the rule to prevent the number of rules from reaching the upper limit.
Each security group can contain a limited number of rules, and each elastic network interface (ENI) on an ECS instance can be associated with a limited number of security group rules. For more information about the limits and quotas of security group rules, see the Security group limits section in the "Limits" topic.
Use the ECS console
In the left-side navigation pane, choose . On the security group list page, find the security group whose security group rules you want to query and click Manage Rules in the Operation column.
In the Access Rule section, click
. In the Health Check dialog box, check whether redundant rules exist.
The following figure shows that the security group contains two duplicate rules.
Select the redundant rules and click OK to delete the rules.
Import and export security group rules
The ECS console allows you to export and import security group rules. This feature is suitable for scenarios such as backup, restoration, and migration of security group rules.
Before you import security group rules, make sure that the following limits are met to prevent an import failure:
The priority of a security group rule ranges from 1 to 100. If the priority of a security group rule is greater than 100, you must delete the rule from the rules that you want to import, import the remaining rules, and then create the deleted rule in the ECS console.
You can export security group rules as JSON or CSV files in the ECS console to your computer for backup. Make sure that the file format is correct and the files follow the naming conventions of Alibaba Cloud security group rule files.
We recommend that you import no more than 200 rules at a time.
When you import rules across regions, the authorization objects in security group rules cannot be security groups or prefix lists.
Use the ECS console
In the left-side navigation pane, choose . On the security group list page, find the security group whose security group rules you want to export and click Manage Rules in the Operation column.
In the Access Rule section, import or export security group rules.
Import security group rules
Click
. In the Import Security Group Rule dialog box, click Select a file, and then select the JSON or CSV file that you want to import. Then, click Start. If a security group rule fails the import check, you can move the pointer over the Warning icon to view the details of the failure.
Export security group rules
Click
and select a file format to export the security group rules as a file in the selected format to your computer. JSON format
The exported JSON file complies with the following naming convention:
ecs_${regionID}_${groupID}.json.If
regionIDiscn-qingdaoandgroupIDissg-123, the name of the exported JSON file isecs_cn-qingdao_sg-123.json.CSV format
The exported CSV file complies the following naming convention:
ecs_sgRule_${groupID}_${regionID}_${time}.csv.If
regionIDiscn-qingdao,groupIDissg-123, andtimeis2020-01-20, the name of the exported CSV file isecs_sgRule_sg-123_cn-qingdao_2020-01-20.csv.
FAQ and best practices for security group rules
For information about security group configurations, security group rules, host penalties and unblocking procedures, and resource quota management, see Security FAQ.
For information about how to configure the Protocol Type and Port Range parameters, see Common ports and Change the default port used by an instance to accept connections.
You can add cloud resources, such as ECS instances or ENIs, to a new security group. For more information, see Manage ECS instances in security groups and Manage ENIs in security groups.
For information about how to modify the internal access control policy of a security group, see Modify the internal access control policy of a basic security group.
Best practices and use cases for configuring security group rules:
If you enable a firewall for an ECS instance and configure security group rules to block external access, you may be unable to connect to the instance. Best practices for enabling and disabling the system firewall:
Other best practices: