This topic describes how to configure security group rules based on the characteristics of security groups in Elastic Compute Service (ECS) to ensure the security and reliability of network traffic for cloud resources in common scenarios, such as scenarios in which you want a website deployed on an ECS instance to provide external web services or you want to manage remote access to an ECS instance.
Security group rules for allowing websites to provide web services
Security group rules for managing remote access to ECS instances
Security group rules for controlling access to ECS instances by using specific protocols
Security group rules for restricting access from ECS instances to external websites
Considerations
Take note of the following items about security group rules:
By default, security groups deny all inbound access.
By default, basic security groups allow all outbound access.
By default, ECS instances in different security groups are isolated from each other over the internal network.
In security groups of the Virtual Private Cloud (VPC) type, each rule controls access to or from the Internet and the internal network. You can configure a security group rule to deny or allow traffic to or from the Internet and the internal network.
In security groups of the classic network type, public rules (Internet ingress and Internet egress rules) control access to or from the Internet, whereas internal rules (inbound and outbound rules) control access to or from the internal network.
All sample security group rules described in this topic are configured for the default ports used by typical applications. Applications deployed on ECS instances use ports of the instances to provide external services. For more information, see Common ports.
A value of 0.0.0.0/0 indicates all IPv4 addresses. For security purposes, we recommend that you specify IP addresses or CIDR blocks as authorization objects (traffic sources or destinations) based on your business requirements and the principle of least privilege. Exercise caution when you specify 0.0.0.0/0 or ::/0 as authorization objects to allow access from all IPv4 or IPv6 addresses. For information about the types of authorization objects supported by security groups, see the Composition of each security group rule section of the "Security group rules" topic.
Security group rules for allowing websites to provide web services
For a website server that allows access from the Internet, you can configure security group rules to allow inbound traffic from any source only on TCP ports 80 (HTTP) and 443 (HTTPS). This ensures that the website can be accessed from the Internet, but restricts direct access to other services on the server.
The following table describes a sample security group rule.
Rule direction | Action | Priority | Protocol type | Port range | Authorization object |
Inbound | Allow | 1 | Custom TCP | Open ports:
| Source: 0.0.0.0/0 |
If the website remains inaccessible after the preceding rule is added, check whether all the required ports are open and available. For more information, see What do I do if I cannot access a service deployed on an instance?
Security group rules for managing remote access to ECS instances
To connect to an ECS instance, open a port for the connection protocol. For example, open TCP port 22 (SSH) or a custom SSH port. To reduce the risk of malicious attacks, configure security group rules to limit the authorization objects that are allowed to access the port of the connection protocol to specific users such as the administrator or the IP addresses of specific servers.
For security purposes, we recommend that you manage the authorization objects for the connection port based on the principle of least privilege. Exercise caution when you specify 0.0.0.0/0 or ::/0 as authorization objects to allow access from all IPv4 or IPv6 addresses.
The following table describes a sample security group rule.
Rule direction | Action | Priority | Protocol type | Port range | Authorization object |
Inbound | Allow | 1 | Custom TCP |
| Source: 192.168.XX.XX Note The IP address of a specific user or a specific server. Enter a public IP address or a private IP address based on whether the connection is over the public network or a private network. |
When you use Alibaba Cloud Workbench to connect to an ECS instance, you need to only allow specific authorization objects. The following table describes a sample inbound security group rule.
Action | Priority | Protocol type | Port range | Authorization object |
Allow | 1 | Custom TCP |
| To connect to the Linux instance by using the auto-assigned public IP address or elastic IP address (EIP) that is associated with the instance, specify 161.117.0.0/16. To connect to the instance by using the private IP address of the instance, specify 100.104.0.0/16. |
For information about the security group rules used to allow Workbench access to instances in the classic network, see the "Add security group rules to allow Workbench access to a Linux instance" section in Connect to a Linux instance by using a password or key and the "Add security group rules to allow Workbench access to a Windows instance" section in Connect to a Windows instance by using a password or key.
Security group rules for allowing instances in different security groups to communicate with each other over the internal network
If you want to share data between ECS instances from different security groups within the same VPC, such as when you want instances in Security Group A to access shared files on instances in Security Group B over FTP, you can add rules to allow mutual access between the security groups over the internal network. The preceding method is more convenient than adding rules to allow access to or from individual IP addresses or CIDR blocks. You do not need to separately configure access control for each instance in each security group.
This method is not supported for ECS instances that reside within different VPCs. You can use Cloud Enterprise Network (CEN) to connect instances within a VPC to instances within another VPC. For more information, see Overview.
Scenario 1:
If Security Group A and Security Group B belong to the same Alibaba Cloud account, you must specify the ID of Security Group A as the authorization object when you add a rule to Security Group B to allow inbound access from Security Group A. The following table describes a sample security group rule.
Rule direction
Action
Priority
Protocol type
Port range
Authorization object
Inbound
Allow
1
Custom TCP
Destination: 21/21
Source: sg-bp1hv6wvmegs036****
NoteThe security group ID provided in the preceding table is only for reference. Replace the security group ID with the actual security group ID.
Scenario 2:
If Security Group A and Security Group B do not belong to the same Alibaba Cloud account, you must specify the ID of Security Group A and the ID of the Alibaba Cloud account to which Security Group A belongs as the authorization object when you add a rule to Security Group B to allow inbound access from Security Group A. The following table describes a sample security group rule.
Rule direction
Action
Priority
Protocol type
Port range
Authorization object
Inbound
Allow
1
Custom TCP
Destination: 21/21
Source: 160998252992****/sg-bp174yoe2ib1sqj5****
NoteThe Alibaba Cloud account ID and the security group ID provided in the preceding table are only for reference. Replace the IDs with the actual IDs.
Security group rules for controlling access to databases
In most cases, databases require strict security policies. You can configure security group rules to allow inbound connections only on specific ports from specific IP addresses or security groups, such as the security group to which an application server belongs. This ensures the privacy and security of database access.
For security purposes, we recommend that you manage the authorization objects of databases based on the principle of least privilege. Exercise caution when you specify 0.0.0.0/0 or ::/0 as authorization objects to allow access from all IPv4 or IPv6 addresses.
The following table describes sample security group rules for common databases that use the corresponding default ports.
Database type | Rule direction | Action | Priority | Protocol type | Port range | Authorization object |
MySQL | Inbound | Allow | 1 | Custom TCP | Destination: 3306/3306 | Source: 172.16.XX.XX.XX |
Oracle | Inbound | Allow | 1 | Custom TCP | Destination: 1521/1521 | Source: 192.168.XX.XX |
MS SQL | Inbound | Allow | 1 | Custom TCP | Destination: 1433/1433 | Source: 192.168.XX.XX/16 |
PostgreSQL | Inbound | Allow | 1 | Custom TCP | Destination: 5432/5432 | Source: sg-bp1hv6wvmegs036**** |
Redis | Inbound | Allow | 1 | Custom TCP | Destination: 6379/6379 | Source: 160998252992****/sg-bp174yoe2ib1sqj5**** |
The IP addresses, CIDR block, Alibaba Cloud account ID, and security group IDs provided in the preceding table are only for reference. Replace the information with actual information.
Security group rules for controlling access to ECS instances by using specific protocols
You may need to restrict specific network protocols based on your business requirements. For example, you may need to allow traffic over only specific ports of TCP or UDP. The Internet Control Message Protocol (ICMP) is used to transfer control messages between IP hosts and routers. Before you can perform specific test operations, such as running the ping command on a client to ping your ECS instance, you must add security group rules to allow inbound ICMP access. The following table describes a sample security group rule.
Rule direction | Action | Priority | Protocol type | Port range | Authorization object |
Inbound | Allow | 1 |
| Destination: -1/-1 | The IP address of the client. Note Enter an IPv4 address or an IPv6 address based on the network environment. |
Security group rules for restricting access from ECS instances to external websites
By default, basic security groups allow all outbound access. To allow ECS instances in a basic security group to access only specific websites, you can use the security group as a whitelist and add a Deny rule that denies all outbound access and then Allow rules that allow outbound access to the IP addresses of the websites.
Take note of the following items:
After multiple rules match the request based on the corresponding protocols, port ranges, and authorization objects, the request is matched against the priorities and actions of the rules to determine a single rule to apply. No session is established until an Allow rule is matched and applied.
A smaller value of the priority of the security group rule indicates a higher priority. If two security group rules have the same priority and are different only in the action, the Deny rule takes effect. The priority of the Deny rule must be lower than the priority of the Allow rule. This way, the Allow rule takes effect to allow outbound access to the IP addresses of the specified websites.
The following table describes the sample security group rules.
Rule direction | Action | Priority | Protocol type | Port range | Authorization object |
Outbound | Deny | 2 | All | Destination: -1/-1 | Destination: 0.0.0.0/0 |
Outbound | Allow | 1 | Custom TCP | Destination: 80/80 | Destination: 47.96.XX.XX |
Outbound | Allow | 1 | Custom TCP | Destination: 443/443 | Destination: 121.199.XX.XX |
The preceding rules indicate that the ECS instances in the security group are allowed to access the HTTP service at 47.96.XX.XX on port 80 and the HTTPS service at 121.199.XX.XX on port 443. Other outbound access requests are denied.