After you add security group rules in the Elastic Compute Service (ECS) console, you can view the details of the rules and perform health checks on security groups to identify redundant rules. This helps simplify security group configurations, reduce administrative workloads, facilitate network management, and mitigate risks posed by security vulnerabilities. This topic describes how to view security group rules and perform a health check on security groups to identify redundant rules in the ECS console.
View the rules of a single security group
Log on to the ECS console.
In the left-side navigation pane, choose .
In the top navigation bar, select the region and resource group to which the resource belongs.
Find the security group whose rules you want to view and click Manage Rules in the Operation column.
Click a tab based on the type of rule that you want to view.
If the network type of the security group is Virtual Private Cloud (VPC), click the Inbound or Outbound tab.
If the network type of the security group is classic network, click the Internet Ingress, Internet Egress, Inbound, or Outbound tab.
NoteIn the search box above the rule list, enter ports or authorization objects to search for security group rules.
View all rules in multiple security groups that are associated with an ECS instance
If you add an ECS instance to multiple security groups, perform the following steps to view all inbound or outbound security group rules that are associated with the instance:
Log on to the ECS console.
In the left-side navigation pane, choose .
In the top navigation bar, select the region and resource group to which the resource belongs.
Go to the Instance Details page of an ECS instance and view all inbound or outbound security group rules that are associated with the instance.
Find the instance for which you want to view security group rules and click the instance ID to go to the Instance Details page.
Click the Security Groups tab and then click the Internal Inbound Rules or Internal Outbound Rules tab to view the details of the rules.
Identify redundant rules in a security group
You can perform a health check on a security group to identify redundant rules in the security group. If rule A has a lower priority than rule B and rule B contains all conditions of rule A, rule A is considered to be a redundant rule. If a redundant rule exists, we recommend that you delete the rule to prevent the number of rules from reaching the upper limit.
Each security group can contain a limited number of rules, and each elastic network interface (ENI) on an ECS instance can be associated with a limited number of security group rules. For more information about the limits and quotas of security group rules, see the Security group limits section in the "Limits" topic.
Log on to the ECS console.
In the left-side navigation pane, choose .
In the top navigation bar, select the region and resource group to which the resource belongs.
Find the security group that you want to manage and click Manage Rules in the Operation column.
In the Access Rule section, click .
In the Health Check dialog box, check whether redundant rules exist.
The following figure shows that the security group contains two redundant rules.
Select the redundant rules and click OK to delete the rules.
References
You can also call the following API operation to query security group rules: DescribeSecurityGroupAttribute.