When you create an Elastic Compute Service (ECS) instance in a virtual private cloud (VPC), you can add the ECS instance to the default security group or an existing security group in the VPC. A security group acts as a virtual firewall to control the inbound and outbound traffic of ECS instances.
This topic describes how to configure security groups for ECS instances in VPCs in different scenarios.
Scenario 1: Allow ECS instances to communicate with each other
If you want ECS instances in VPCs to communicate with each other, take note of the following information:
- By default, ECS instances in the same security group of a VPC can communicate with each other.
- ECS instances in different VPCs cannot communicate with each other. To connect ECS
instances in different VPCs, you must use Express Connect, VPN Gateway, or Cloud Enterprise
Network (CEN) to connect the VPCs. Then, configure security group rules based on the
following information to allow the ECS instances to communicate with each other.
Security group rule Direction Action Protocol type and port range Authorization type Authorized object Security group configuration for the ECS instance in VPC 1 Inbound Allow Windows: RDP
3389/3389
CIDR block The private IP address of the ECS instance in VPC 2.Note Enter 0.0.0.0/0 if you want to allow all ECS instances in VPC 2 to communicate with the ECS instance in VPC 1.Inbound Allow Linux: SSH
22/22
CIDR block Inbound Allow Custom TCP
Custom
CIDR block Security group configuration for the ECS instance in VPC 2 Inbound Allow Windows: RDP
3389/3389
CIDR block The private IP address of the ECS instance in the VPC 1.Note Enter 0.0.0.0/0 if you want to allow all ECS instances in VPC 1 to communicate with the ECS instance in VPC 2.Inbound Allow Linux: SSH
22/22
CIDR block Inbound Allow Custom TCP
Custom
CIDR block
Scenario 2: Deny access from specific IP addresses or to specific ports
If you want to deny access to an ECS instance in a VPC from specific IP addresses or deny access to specific ports of the ECS instance, you can configure security group rules based on the following information.
| Security group rule | Direction | Action | Protocol type and port range | Authorization type | Authorized object |
|---|---|---|---|---|---|
| Deny access from a CIDR block to all ports | Inbound | Deny |
All -1/-1 |
CIDR block |
The CIDR block from which you want to deny access. Example: 10.0.0.1/32. |
| Deny access from a CIDR block to TCP port 22 | Inbound | Deny |
SSH(22) 22/22 |
CIDR block |
The CIDR block from which you want to deny access. Example: 10.0.0.1/32. |
Scenario 3: Allow only specific IP addresses to remotely log on to an ECS instance
If an ECS instance in your VPC is associated with an elastic IP address (EIP) or configured with an Internet NAT gateway, you can add the following security group rules to allow remote logon from clients that run Windows or SSH logon from clients that run Linux.
| Security group rule | Direction | Action | Protocol type and port range | Authorization type | Authorized object |
|---|---|---|---|---|---|
| Allow remote logon from Windows clients | Inbound | Allow |
RDP 3389/3389 |
CIDR block |
The IP address from which you want to allow logon.
Note Enter 0.0.0.0/0 if you want to allow all public IP addresses to log on to the ECS
instance.
|
| Allow SSH logon from Linux clients | Inbound | Allow |
SSH 22/22 |
CIDR block |
The IP address from which you want to allow logon.
Note Enter 0.0.0.0/0 if you want to allow all public IP addresses to log on to the ECS
instance.
|
Scenario 4: Allow users to access the HTTP or HTTPS service deployed on an ECS instance over the Internet
If you deployed a website on an ECS instance in your VPC, and the ECS instance provides Internet-facing services by using an EIP or an Internet NAT gateway, you can configure the following security group rules to allow users to access your website over the Internet.
| Security group rule | Direction | Action | Protocol type and port range | Authorization type | Authorized object |
|---|---|---|---|---|---|
| Allow access to HTTP port 80 | Inbound | Allow |
HTTP 80/80 |
CIDR block | 0.0.0.0/0 |
| Allow access to HTTPS port 443 | Inbound | Allow |
HTTPS 443/443 |
CIDR block | 0.0.0.0/0 |
| Allow access to TCP port 80 | Inbound | Allow |
TCP 80/80 |
CIDR block | 0.0.0.0/0 |