All Products
Search
Document Center

Virtual Private Cloud:Security groups

Last Updated:Dec 02, 2024

A security group is a virtual firewall that controls inbound and outbound traffic for Elastic Compute Service (ECS) instances. You can configure inbound rules for a security group to control traffic to ECS instances in the group and outbound rules to control traffic from the instances.

When you create an ECS instance, you can specify one or more security groups for the instance. If you do not specify security groups when you create an ECS instance, the default security group is used. The rules in the security groups that are associated with an ECS instance are sorted based on specific policies and take effect at the same time to control traffic to and from the instance.

You can add, modify, or delete a rule for a security group. The configuration automatically takes effect for all ECS instances in the security group. For more information, see Security group rules. You can modify the security groups that are associated with an ECS instance. The rules in the associated security groups automatically apply to the instance. Specifically, the rules in the security groups that are associated with an ECS instance apply to the primary elastic network interface (ENI) of the instance. You can specify different security groups for ENIs other than the primary ENI associated with an ECS instance that resides in a virtual private cloud (VPC). A security group takes effect only in the VPC to which the security group belongs. If you create an ECS instance in a VPC, you must specify a vSwitch and a security group that belong to the VPC for the instance.

Security groups provide two main features: intra-group connectivity and inter-group access configuration. If a security group supports intra-group connectivity, the ECS instances in the security group can communicate with each other over the internal network. If a security group supports inter-group access configuration, you can reference another security group as an authorization object (source or destination) in a rule that you create in the security group to allow or deny access from the ECS instances in the other security group over the internal network. Security groups can be classified into basic and advanced security groups that are suitable for different scenarios. Both types are provided free of charge. Basic security groups support the preceding two features. Compared with advanced security groups, basic security groups can contain a smaller number of private IP addresses. Advanced security groups can contain a larger number of private IP addresses, but do not support intra-group connectivity or inter-group access configuration. When you associate multiple security groups with an ECS instance, associate only one type of security groups to an ENI that is attached to the instance. We recommend that you select one type of security groups based on your business requirements. For more information, see Basic security groups and advanced security groups.

A security group is a managed security group if one of the following conditions is met: The value of ServiceManaged is True in the response when you call the DescribeSecurityGroups operation to query information about the security group, or a message similar to This security group is managed by a cloud service and cannot be modified is displayed for the security group in the ECS console. Managed security groups belong to Alibaba Cloud accounts and can be viewed by using the accounts. However, only cloud services can manage these security groups. For more information, see Managed security group.

A security group is enabled with the deletion protection feature if one of the following conditions is met: InvalidOperation.DeletionProtection is returned when you call the DeleteSecurityGroup operation to delete the security group, or a message similar to Deletion Protection is displayed when you delete the security group in the ECS console. When you create a Container Service for Kubernetes (ACK) cluster, the deletion protection feature is enabled for an associated security group to prevent accidental deletion. You cannot manually disable the deletion protection feature for the security group. The deletion protection feature can be automatically disabled only after the ACK cluster is deleted. For more information, see Disable deletion protection for a security group.

Improve the security of your ECS instances by using security groups or combining security groups with other methods. For more information, see ECS instance security.

Best practices

This section describes the best practices for using security groups.

  • Make a plan

    You can configure the name, description, tags, and resource group of a security group based on your business requirements. We recommend that you configure these parameters to help you identify and manage security groups.

  • Use the whitelist

    By default, all access to a security group is denied. You can add a rule to the security group to allow access from specific authorization objects on specific ports.

  • Follow the principle of least privilege when you add security group rules

    For example, if you want to allow connections to be established to port 22 on a Linux instance, we recommend that you add a rule to allow access only from specific IP addresses instead of all IP addresses (0.0.0.0/0).

  • Follow the principle of least privilege

    For example, if you do not require intra-group connectivity between the ECS instances in a security group, change the internal access control policy of the security group from intra-group connectivity to internal isolation.

  • Keep the rules in each security group concise

    Add rules to security groups based on the purposes of the security groups, and then add ECS instances to the security groups. Adding a large number of rules to a single security group increases management complexity. You can perform a health check on a security group to identify redundant rules in the security group. For more information, see the Identify redundant rules in a security group section in the "View security group rules" topic.

  • Add instances that serve different purposes to different security groups and separately maintain the rules for each group

    For example, you can add ECS instances that are accessible over the Internet to the same security group and allow access only on specific ports that provide external services, such as ports 80 and 443. By default, access to other ports is denied. To ensure that the ECS instances that are accessible over the Internet do not provide other services, such as MySQL and Redis, we recommend that you deploy internal services on the instances that are inaccessible over the Internet, and then add the instances to another security group.

  • Do not modify security groups that are used in the production environment

    You can clone a security group to the test environment and modify the clone security group. If the ECS instances in the clone security group run as expected after the modifications, modify the rules of the original security group in the production environment.

  • Note

    A single ECS instance may be associated with multiple security groups. For information about how to check all inbound or outbound rules that apply to an instance, see the View all rules in multiple security groups that are associated with an ECS instance section in the "View security group rules" topic.

Operations

Use the ECS console

Use the ECS API

References

For information about security group quotas, see the Security group limits section in the "Limits" topic.