This topic describes how to enhance the security and reliability of network traffic for cloud resources by configuring security group rules in Elastic Compute Service (ECS), covering common scenarios such as deploying a website on an ECS instance for external web services or managing remote access to an ECS instance.
Security group application guidance
1. Identify business requirements and plan different security groups
Identify your business characteristics and specific security needs, such as distinguishing between publicly available services and those intended for internal use only.
-
Public and Internal Network Services Should Use Separate Security Groups
To prevent unauthorized access from the public network, it's crucial to adopt the strictest security group rules for cloud servers. By default, deny all access, closing all ports and protocols, and only expose those necessary for external services.
Servers providing external services should have clear and simple security group responsibilities, avoiding the provision of other services on the same server. For services like MySQL or Redis, it is advisable to install them on servers without public network access and configure security group rules to authorize access from another security group.
-
Assign Different Applications to Different Security Groups
In a production environment, it's uncommon for different operating systems to be part of the same application group for load balancing purposes. Since various services require exposing different ports and restricting others, it is advisable to assign different operating systems to separate security groups whenever possible.
For instance, on Linux operating systems, exposing TCP port 22 is necessary for SSH, while on Windows, opening TCP port 3389 is required for Remote Desktop Protocol (RDP) connections.
Even when using the same image type across various operating systems, if the services provided do not require internal network access between them, it is advisable to place them in separate security groups. This approach promotes decoupling and simplifies future modifications to security group rules, adhering to the principle of single responsibility.
When planning and adding applications, it's important to consider not only the segmentation of virtual switches for subnet configuration but also the careful planning of security groups. Employ a "CIDR block + security group" strategy to define clear boundaries between service providers and consumers.
-
Use Separate Security Groups for Production and Testing Environments
For improved system isolation, it's advisable to establish multiple testing environments alongside a single production environment during actual development. To ensure network isolation, configure distinct security strategies for each environment. This prevents changes in the testing environment from inadvertently being deployed to the production environment, thereby maintaining its stability.
By establishing distinct security groups, you can limit the network access of applications, preventing interaction between production and testing environments. Assigning separate security groups to various testing environments also helps to eliminate cross-environment interference, thereby enhancing development productivity.
-
Resources Not Requiring Public Network Access Should Not Have Public IPs
For ECS instance connectivity without a public IP, use alternatives like Workbench, session management tools, or a jump server to reduce public exposure. To access services in non-public or private networks directly, consider using port forwarding. For more information, see the referenced document.
In distributed applications, which often consist of various layers and groups, it's advisable for cloud servers without public network access to avoid assigning public IPs. When multiple servers require public network access, configuring a load balancing service is recommended to distribute public traffic, enhance system availability, and prevent single points of failure. For more information, see .
In a VPC architecture, use a NAT Gateway to enable ECS instances without public IPs to access the Internet. Configure corresponding SNAT rules for specific CIDR blocks or subnets, avoiding service exposure after assigning a public IP (EIP) solely for public network access. For specific configurations, see Create and manage SNAT entries.
-
Employ Security Groups as Whitelists
Use security groups as whitelists, denying all access by default and adding allow rules for specific port ranges and authorization objects. Minimize the number of open and exposed ports and the assignment of public IPs. For tasks like log retrieval or troubleshooting, avoid directly assigning public IPs and mounting EIPs, as this exposes the entire machine to the public network.
2. Configure security group rules
A security group acts as a virtual firewall, controlling inbound and outbound traffic for ECS instances. Ensure that only necessary communication ports are open and restrict the source IP address range as much as possible.
-
Basic and Enterprise Security Groups Have Different Default Policies
Both basic and enterprise security groups deny all inbound access by default. Basic security groups allow all outbound access by default, while enterprise security groups deny all outbound access by default.
-
Internal Network Connectivity Differs Between Security Groups and Types
ECS instances under the same account but in different security groups are isolated on the internal network. Basic security groups have internal network connectivity by default, whereas enterprise security groups are isolated by default.
-
Control Objects for Security Group Rules Vary by Network Architecture
-
In a VPC network, a security group rule can control both public and internal network access. A single rule can restrict or permit traffic from both networks.
-
In a classic network, public and internal networks share the same IP space, requiring separate security group rules to control access for each network.
-
-
Adhere to the Principle of Least Privilege When Adding Security Group Rules
For instance, when enabling port 22 on a Linux instance for remote login, limit access to specific IPs only.
WarningAuthorizing all IPs with 0.0.0.0/0 as an authorization object is insecure, as it exposes all ports to external access. Instead, deny all ports by default and only open common TCP ports like 80, 8080, and 443 for web services, keeping other ports closed.
For enhanced security, it is advisable to specify IP addresses or CIDR blocks as authorization objects (sources or destinations of traffic) in line with your business needs and adhering to the principle of least privilege. Be cautious when allowing access from all IPv4 or IPv6 addresses by using 0.0.0.0/0 or ::/0 as authorization objects. For detailed information on the types of authorization objects supported by security groups, refer to Security group rules.
-
Implement Internal Isolation Following the Principle of Least Privilege
If intra-group connectivity is not required for ECS instances in a basic security group, switch the internal access control policy from connectivity to isolation.
-
Maintain Uniform Rule Purposes Within a Single Security Group
Add rules to security groups based on their intended purposes, then add ECS instances to these groups. Overloading a single security group with many rules increases management complexity.
-
Select Authorization Objects for Security Group Rules Carefully
Authorization objects for security group rules can be IP addresses, security groups, or CIDR blocks.
To allow resources in different security groups to communicate, configure rules for mutual access. For example, in distributed applications, you may have separate security groups for Web and Database:
sg-webandsg-database. Insg-database, add a rule to authorize all resources of thesg-webgroup to access the MySQL (3306) port.For internal network access, specify security groups as authorization objects, not CIDR blocks.
For classic network ECS instances, Alibaba Cloud does not enable any default inbound rules for the internal network. For security, avoid enabling access based on CIDR blocks.
-
Typical Applications Usually Use Default Ports for Services
Applications communicate externally through specific server ports. For more information, see Common Ports.
3. Continuous optimization and adjustment
As your business evolves, the original security groups and rules may become outdated. Regularly review and adjust your architecture design based on the latest security landscape. When modifying security groups, clone one in the testing environment for debugging, confirm normal instance traffic after changes, and then update the production environment's security group rules to avoid business disruptions due to errors.
Security group application cases
Control inbound traffic of ECS instances
Manage external resource traffic accessing ECS instances by setting inbound rules. By default, security group inbound rules deny all access, and you only need to configure allowed rules. Examples include the following:
-
Case 1: Deploying a website business on ECS instances to provide web services
-
Case 2: Granting Specific Users Remote Access to ECS Instances
-
Case 3: Security Policy for Deploying Database Services on ECS
-
Case 5: Enabling Internal Network Communication Between Instances in Different Security Groups
Control outbound traffic of ECS instances
Manage ECS instance traffic accessing external resources by setting outbound rules. By default, security group outbound rules allow all access, and you only need to configure denied rules. Examples include the following:
Case 1: Website business deployed on ECS instances provides web services
A website business hosted on an Alibaba Cloud ECS instance is accessible to any public network user. The security group rules to configure should allow inbound traffic on TCP ports 80 (HTTP) and 443 (HTTPS) from any source, enabling external website access while restricting directaccess to other services on the server, thus ensuring server security.
The table below provides sample security group rules:
Rule direction | Authorization policy | Priority | Protocol type | Port range | Authorization object |
Inbound | Allow | 1 | Custom TCP | Open ports of the service:
| Source: 0.0.0.0/0 |
Should the website still be inaccessible after adding the security group rule, ensure that all necessary ports are open and available. For detailed instructions, see Troubleshooting methods for inaccessible services in ECS instances.
Case 2: Specific users need remote access to ECS instances
To remotely manage an Alibaba Cloud ECS instance for business deployment, configure security group rules to open TCP port 22 (SSH) or a custom SSH port. Limit the authorization object to specific users (such as administrators) or specific server IPs to mitigate the risk of malicious attacks.
The table below provides sample security group rules:
Rule direction | Authorization policy | Priority | Protocol type | Port range | Authorization object |
Inbound | Allow | 1 | Custom TCP |
| Source: 192.168.XX.XX Note The IP address of a specific user or a specific server. Enter a public IP address or a private IP address based on whether the connection is over the public network or a private network. You can visit websites such as IP address query to obtain the public IP address corresponding to the local network. |
To remotely connect to an instance via Alibaba Cloud Workbench, it's sufficient to permit certain authorization objects. Below is a table outlining sample Inbound rules for the security group.
Authorization policy | Priority | Protocol type | Port range | Authorization object |
Allow | 1 | Custom TCP |
|
|
For details on security group rules applicable to Workbench connections with classic network instances, refer to Security Group Settings for Workbench Connections to Classic Network Instances.
Case 3: Database service deployment security policy on ECS
Database services typically demand stricter security measures. Configure security groups to permit inbound connections only on specific ports from designated IP addresses or security groups, such as the group to which an application server is assigned, to maintain the confidentiality and integrity of database access.
If your inbound rules currently include 0.0.0.0/0, reassess the ports and services your application must expose externally. To prevent certain ports from being publicly accessible, add a deny rule with a lower priority than allow rules for necessary services. For instance, MySQL services should not expose port 3306 to the public network by default. In such cases, implement a deny rule as shown below with the lowest priority setting.
Below is a table describing sample security group rules for common databases using their default ports:
Database type | Rule direction | Authorization policy | Priority | Protocol type | Port range | Authorization object |
MySQL | Inbound | Allow | 1 | Custom TCP | Destination: 3306/3306 | Source: 172.16.XX.XX |
Oracle | Inbound | Allow | 1 | Custom TCP | Destination: 1521/1521 | Source: 192.168.XX.XX |
MS SQL | Inbound | Allow | 1 | Custom TCP | Destination: 1433/1433 | Source: 192.168.XX.XX/16 |
PostgreSQL | Inbound | Allow | 1 | Custom TCP | Destination: 5432/5432 | Source: sg-bp1hv6wvmegs036**** |
Redis | Inbound | Allow | 1 | Custom TCP | Destination: 6379/6379 | Source: 160998252992****/sg-bp174yoe2ib1sqj5**** |
The IP addresses, CIDR block, Alibaba Cloud account ID, and security group IDs in the table are for illustrative purposes only. Substitute with actual information.
Case 4: Allow only specific protocol business access
Business requirements may necessitate restricting access to certain network protocols. For instance, you might need to permit traffic only on specific TCP or UDP ports. The Internet Control Message Protocol (ICMP) is utilized for control message exchange between IP hosts and routers. To conduct specific tests, such as using the ping command to assess network connectivity, enable access based on the ICMP protocol. The table below describes a sample security group rule:
Rule direction | Authorization policy | Priority | Protocol type | Port range | Authorization object |
Inbound | Allow | 1 |
| Destination: -1/-1 | Client IP address Note Enter an IPv4 address or an IPv6 address based on the network environment. |
Case 5: Instances of different security groups achieve internal network communication
To facilitate data sharing between ECS instances in different security groups within the same VPC, such as enabling instances in Security Group A to access shared files on instances in Security Group B via FTP, add rules that permit mutual access over the internal network. This method is more efficient than configuring access control for each instance individually.
This method does not support instances located in different VPCs. To connect instances across various VPCs, you can utilize the Cloud Enterprise Network. For more information, see Cloud Enterprise Network Quick Start.
-
Scenario 1:
When Security Group A and B are under the same Alibaba Cloud account, specify Security Group A's ID as the authorization object in Security Group B's rule to allow inbound access. The table below shows a sample rule.
Rule direction
Authorization policy
Priority
Protocol type
Port range
Authorization object
Inbound
Allow
1
Custom TCP
Destination: 21/21
Source: sg-bp1hv6wvmegs036****
NoteThe security group ID in the table is for reference only. Replace it with the actual security group ID.
-
Scenario 2:
If Security Group A and B are from different Alibaba Cloud accounts, include both the ID of Security Group A and the account ID it belongs to as authorization objects in Security Group B's rule. The table below describes a sample security group rule.
Rule direction
Authorization policy
Priority
Protocol type
Port range
Authorization object
Inbound
Allow
1
Custom TCP
Destination: 21/21
Source: 160998252992****/sg-bp174yoe2ib1sqj5****
NoteThe Alibaba Cloud account ID and security group ID in the table are for reference. Replace them with actual IDs.
Case 6: Restrict ECS instances from accessing external websites
To limit instances to accessing only specified websites, use security groups as whitelists, setting the default to deny all outbound access, then permitting access to the IPs of the specified websites.
Consider the following when setting security group rules:
-
When a request matches multiple rules based on the specified protocols, port ranges, and authorization objects, it is then evaluated against the rules' priorities and actions to determine which single rule to enforce. A session is not established until a matching Allow rule is applied.
-
In security group rules, a lower priority value signifies a higher precedence. If two rules share the same priority but differ in action, the Deny rule prevails. To ensure that the Allow rule is effective and permits outbound access to the designated IP addresses, its priority must be set higher than that of the Deny rule.
The table below provides sample security group rules:
Rule direction | Authorization policy | Priority | Protocol type | Port range | Authorization object |
Outbound | Deny | 2 | All | Destination: -1/-1 | Destination: 0.0.0.0/0 |
Outbound | Allow | 1 | Custom TCP | Destination: 80/80 | Destination: 47.96.XX.XX |
Outbound | Allow | 1 | Custom TCP | Destination: 443/443 | Destination: 121.199.XX.XX |
These rules indicate that ECS instances within the security group are permitted to access the HTTP service at 47.96.XX.XX on port 80 and the HTTPS service at 121.199.XX.XX on port 443, while all other outbound requests are denied.