Security groups act as virtual firewalls to provide Stateful Packet Inspection (SPI) and packet filtering capabilities and define security domains in the cloud. You can add security group rules to control inbound and outbound traffic for elastic container instances within security groups.
Security group overview
Security group definition
A security group is a logically isolated group of instances within the same region that are mutually trusted and share the same security requirements. Security group rules control access to or from the Internet or internal network for the elastic container instances in the security group.
Each security group can manage multiple elastic container instances within the same region.
Each elastic container instance must belong to a single security group.
Security group types
Security groups are classified into basic security groups and advanced security groups. By default, the following rules are added when a security group is created:
Inbound rules that allow access on ports 80, 443, 22, and 3389, and an inbound rule that allows access over Internet Control Message Protocol (ICMP) on all ports. These rules can be modified.
An outbound rule that allows all access on all ports.
The following table describes the differences in the features of basic and advanced security groups.
Feature | Basic security group | Advanced security group |
|---|---|---|
Access control policy when the security group has no rules |
|
|
Maximum number of private IP addresses | 2,000 | 65,536 |
Mutual access between instances within the same security group | By default, instances within the same security group can access each other over the internal network. | By default, instances within the same security group are isolated from each other over the internal network. You must manually add security group rules to allow the instances to access each other over the internal network. |
Control on access to or from other security groups | Rules can be added to control access to or from other security groups. | Rules cannot be added to control access to or from other security groups. |
If your business requires a large number of elastic container instances and high O&M efficiency, we recommend that you use advanced security groups. Compared with basic security groups, advanced security groups can accommodate more elastic container instances and make it easier to configure security group rules.
Security group rules
Rules can be added to security groups to control inbound and outbound traffic. A security group rule is defined by attributes such as the direction, action, protocol type, port range, and authorization object. Take note of the following items about security group rules:
The combined number of inbound and outbound rules in each security group cannot exceed 200.
Follow the principle of least privilege when you add security group rules. Example:
Specify a single port such as port 80 in the format of 80/80, instead of a port range such as ports 1 to 80 in the format of 1/80.
0.0.0.0/0 indicates all IP addresses. Do not set it as the authorization object unless necessary.
Specify a security group
When you create an elastic container instance, you must specify a security group for the instance.
You cannot change the security group for an elastic container instance. To use an elastic container instance within a different security group, create a new elastic container instance in that security group.
Specify security groups for elastic container instances in Kubernetes clusters
When you use Elastic Container Instance based on Virtual Kubelet in Kubernetes scenarios, all elastic container instances within a cluster are added to the default security group configured by Virtual Kubelet. You can specify a security group for an elastic container instance based on your business requirements.
Cluster
You can run the kubectl edit command to modify the eci-profile ConfigMap of a cluster and change the default security group ID in the data section for the elastic container instances in the cluster.
NoteVirtual Kubelet 2.0.0.90-15deb126e-aliyun and later allow modifications to eci-profile for hot updates. If your Virtual Kubelet version is earlier than 2.0.0.90-15deb126e-aliyun, we recommend that you upgrade Virtual Kubelet.
kubectl edit configmap eci-profile -n kube-systemModify the securityGroupId field in the data section. Sample code:
data: enableClusterIp: "true" enableHybridMode: "false" enablePrivateZone: "false" resourceGroupId: "" securityGroupId: sg-2ze0b9o8pjjzts4h**** # Specify a security group ID. selectors: "" vSwitchIds: vsw-2zeet2ksvw7f14ryz****,vsw-2ze94pjtfuj9vaymf**** vpcId: vpc-2zeghwzptn5zii0w7****Specify security groups for elastic container instances
You can add annotations to the metadata section in pod configurations to specify a security group for an elastic container instance. Sample code:
apiVersion: apps/v1 kind: Deployment metadata: name: demo labels: app: nginx spec: replicas: 1 selector: matchLabels: app: nginx template: metadata: annotations: k8s.aliyun.com/eci-security-group: "sg-bp1dktddjsg5nktv****" # Specify a security group ID. labels: app: nginx spec: containers: - name: nginx image: nginx:latest
Specify security groups for elastic container instances by calling the API
When you call the CreateContainerGroup operation to create an elastic container instance, you can use the SecurityGroupId parameter to specify a security group. The following table describes the SecurityGroupId parameter. For more information, see CreateContainerGroup.
Parameter | Type | Example | Description |
|---|---|---|---|
SecurityGroupId | String | sg-uf66jeqopgqa9hdn**** | The ID of the security group |
Specify security groups for elastic container instances in the console
When you create an elastic container instance on the instance buy page in the Elastic Container Instance console, you can specify a security group for the instance.
Add a security group rule
You can add rules to a security group to control inbound and outbound traffic for the elastic container instances in the security group. Example:
If your elastic container instance needs to communicate with a network outside the security group to which the instance belongs, you must add a security group rule to allow the instance to access the network.
When attacks performed by request sources are detected, you can add security group rules to block access from the sources.
For more information about how to add security group rules, see Add security group rules.