All Products
Search
Document Center

Elastic Compute Service:Security group rules

Last Updated:Nov 07, 2024

You can create custom security group rules in a security group to control inbound and outbound traffic for Elastic Compute Service (ECS) instances in the security group. Security group rules help control access to cloud resources and improve network security.

Before you use security group rules, take note of the following items:

  • The security group rules in security groups of the Virtual Private Cloud (VPC) type are classified into inbound and outbound rules. The rules control traffic over both the Internet and internal network. The security group rules in security groups of the classic network type are classified into Internet ingress (or public inbound), Internet egress (or public outbound), internal inbound, and internal outbound rules. Internet ingress and egress rules control traffic over the Internet. Internal inbound and outbound rules control traffic over the internal network.

  • Security groups are stateful. A session for a security group can persist for up to 910 seconds. If ECS instances in the same security group can be accessed and sessions are established on the instances, the security group allows traffic in both directions during the sessions. For example, if request traffic during a session is allowed to flow in, the corresponding response traffic is also allowed to flow out.

  • You can modify the security group rules that are associated with an elastic network interface (ENI), or change the security groups of an ENI to associate new security group rules with the ENI. If the new security group rules and the original security group rules contain the same actions, the sessions that are already established on the ENI are not affected. If you use the internal connectivity policy of basic security groups to allow traffic and do not want existing sessions to be affected when you change the basic security groups of an ENI, add the ENI or its associated ECS instance to new basic security groups, wait for approximately 10 seconds, and then remove the ENI or ECS instance from the original basic security groups.

  • The default email service port is TCP port 25. By default, TCP port 25 of ECS instances is blocked to ensure security. To send emails, we recommend that you use port 465.

  • Before you create security group rules in a security group, take note that the security group contains default access control rules that are invisible. The default access control rules and the custom security group rules that you create work together to control traffic for ECS instances in the security group. Basic and advanced security groups have different sets of default access control rules. For a basic security group, the default inbound access control rules allow only traffic over the internal network from ECS instances within the basic security group, and the default outbound access control rules allow all traffic. For an advanced security group, the default access control rules do not allow traffic. For more information, see Basic security groups and advanced security groups.

  • The internal access control policy of a basic security group affects the default access control rules of the security group. By default, a basic security group uses the internal interconnectivity policy. The policy allows inbound and outbound traffic over the internal network between ECS instances within the basic security group. If you do not require ECS instances in a basic security group to access each other, we recommend that you follow the principle of least privilege to configure the internal isolation policy for the security group. For more information, see Modify the internal access control policy of a basic security group.

  • For an ECS instance that is associated with multiple security groups, all security group rules of the security groups are automatically sorted and work together with the default access control rules of the security groups to control traffic for the ECS instance. The security group rules are processed in a specific order. The processing continues until a rule is matched. For more information, see the Sorting policy of security group rules section in this topic.

  • By default, each security group can contain up to 200 security group rules. You can change the maximum number of security group rules that can be contained in each security group and the maximum number of security groups with which an ECS instance can be associated. For more information, see the Security group limits section in the "Limits" topic. We recommend that you keep the security group rules of each security group concise to facilitate management. You can perform health checks on security groups to identify redundant security group rules. For more information, see the Identify redundant rules in a security group section in the "View security group rules" topic.

Composition of each security group rule

A custom security group rule consists of the following information:

  • Protocol type: the protocol type. The following protocols are supported: TCP, User Datagram Protocol (UDP), Internet Control Messages Protocol version 4 (ICMPv4), ICMP version 6 (ICMPv6), and Generic Routing Encapsulation (GRE).

  • Port range: the destination port range. For TCP and UDP protocols, use a forward slash (/) to separate the start port number and the end port number when you specify a port range. Examples: 8000/9000 and 22/22. For other protocols, this parameter is set to -1/-1. For more information, see Common ports.

  • Authorization object: the source of traffic for inbound rules or the destination of traffic for outbound rules. You can specify the following elements as authorization objects:

    • IPv4 addresses. Example: 192.168.0.100.

    • IPv4 CIDR blocks. Example: 192.168.0.0/24.

    • IPv6 addresses. Example: 2408:4321:180:1701:94c7:bc38:3bfa:9. The IPv6 addresses that you specify are standardized. For example, 2408:180:0000::1 is converted into 2408:180::1.

    • IPv6 CIDR blocks. Example: 2408:4321:180:1701::/64. The IPv6 CIDR blocks that you specify are standardized. For example, 2408:4321:180:0000::/64 is converted into 2408:4321:180::/64.

    • Security group IDs. You can specify security groups in the current account or other accounts. If you specify a security group ID as the authorization object in a security group rule, the rule uses the internal IP addresses of ECS instances in the specified security group to control traffic over the internal network. For example, if you specify Security Group A that contains ECS Instance B as the authorization object in a security group rule, the rule controls access to or from the internal IP address of ECS Instance B over the internal network.

    • Prefix list IDs. A prefix list is a set of one or more network prefixes (CIDR blocks). If you specify a prefix list as the authorization object in a security group rule, the maximum number of entries in the prefix list counts against the rule quota of the security group. For more information, see Overview of prefix lists.

  • Action: the action to take on traffic. Valid values: Allow and Deny. If a request matches the protocol, port range, and authorization object conditions of a security group rule, the action that you specify in the rule is taken to allow or deny the request.

  • Priority: the priority of the rule. Valid values: 1 to 100. A smaller value indicates a higher priority. Security group rules are sorted by priority and then by action. For more information, see the Sorting policy of security group rules section in this topic.

  • Direction: Inbound and outbound rules are supported to control inbound and outbound traffic.

  • NIC type: The network interface controller (NIC) type is supported only for security group rules in security groups of the classic network type. You can specify the NIC type to configure public or internal security group rules. Public security group rules control traffic over the Internet and take effect on public NICs of ECS instances that are deployed in the classic network. Internal security group rules control traffic over the internal network and take effect on internal NICs of ECS instances that are deployed in the classic network. Security group rules in security groups of the VPC type control traffic over both the Internet and internal network.

  • Rule ID: When you create a security group rule, the system generates a unique ID for the rule. To modify or delete a security group rule, you can use the rule ID to find the rule.

If a request matches the protocol, port range, and authorization object conditions of a security group rule, the action that you specify in the rule is taken to allow or deny the request. When a general inbound rule is processed, the source IP address of the traffic is matched against the authorization object and the destination port number of the traffic is matched against the port range. When a general outbound rule is processed, the destination IP address of the traffic is matched against the authorization object and the destination port number of the traffic is matched against the port range. To implement more fine-grained access control, we recommend that you use security group quintuple rules. For more information, see Security group quintuple rules.

Sorting policy of security group rules

You can associate an ECS instance with one or more security groups. The system controls inbound and outbound traffic for the instance based on the security group rules that are associated with the instance. For example, the system performs the following steps to process inbound security group rules that are associated with the ECS instance to allow or deny inbound traffic to the instance:

  1. Collect all inbound security group rules and sort the rules by priority and then by action.

    1. Sort the security group rules in descending order of priority. A rule with a smaller priority value has a higher priority.

    2. Rank security group rules whose Action parameter is set to Deny before security group rules whose Action parameter is set to Allow.

  2. The system matches requests with the security group rules that are associated with the ECS instance based on the order in which the rules are sorted, protocol type, port range, and authorization object. If a request matches a rule, the action specified in the rule is taken to allow or deny the request.

In addition to custom security group rules, security groups contain default access control rules that take effect but are invisible. For more information, see the Default access control rules section in the "Basic security groups and advanced security groups" topic.

Special rules in security groups

To ensure the stability of ECS instances and the availability of specific cloud features, security groups automatically allow traffic that is generated in specific scenarios. You cannot configure security group rules to deny the traffic. Security groups automatically allow the following traffic:

  • Traffic for network connectivity checks under special circumstances:

    When the underlying components of ECS instances change, Alibaba Cloud may perform on-demand ping tests to check the network connectivity of the instances. To ensure the accuracy of the tests, security groups automatically recognize and allow the ping traffic.

  • ICMP Path Maximum Transmission Unit Discovery (PMTUD) error packets:

    If a packet sent by an ECS instance exceeds the path maximum transmission unit (MTU) and has Don't Fragment (DF) flag set, the ECS instance receives an ICMP error packet that contains the path MTU. The error packet instructs the ECS instance to reduce the packet size. Security groups automatically recognize and allow such error packets. For more information, see MTU and jumbo frames.

  • Server Load Balancer (SLB) traffic:

    Security groups automatically recognize and allow the traffic that is forwarded to backend ECS instances through SLB instances, such as Application Load Balancer (ALB), Network Load Balancer (NLB), or Classic Load Balancer (CLB) instances. In this case, the inbound and outbound traffic of the ECS instances is controlled by the security groups or access control lists (ACLs) of the SLB instances.

  • MetaServer access traffic:

    MetaServer provides the required metadata service for ECS instances. The metadata service is a basic service that helps ensure ECS instances run as expected. By default, security groups allow outbound traffic to the MetaServer at 100.100.100.200 without the need for additional rules.

Use cases for security groups

Alibaba Cloud provides examples on how to configure security group rules in common scenarios, such as providing web services for websites and connecting to instances. For more information, see Security groups for different use cases.

Manage security group rules

For information about how to manage security group rules, see Manage security group rules.

Security group quintuple rules

When you configure security group rules through the ECS console, there are the following limits:

  • Inbound security group rules allow you to configure only the source IP address, destination port, and protocol type.

  • Outbound security group rules allow you to configure only the destination IP address, destination port, and protocol type.

To implement more fine-grained access control for the inbound and outbound traffic of ECS instances, we recommend that you use security group quintuple rules. A quintuple rule includes the following parameters: source IP address, source port, destination IP address, destination port, and protocol type. Quintuple rules are fully compatible with existing security group rules.

Sample quintuple outbound rule:

Source IP address: 172.16.1.0/32
Source port: 22
Destination IP address: 10.0.0.1/32
Destination port: not specified
Protocol type: TCP

The sample outbound rule indicates that TCP access from172.16.1.0/32 to 10.0.0.1/32over port 22 is allowed.

You can call the following API operations to configure quintuple rules:

Note

To configure quintuple rules in the ECS console, submit a ticket.