×
Community Blog ECS Security Groups Configuring Guide

ECS Security Groups Configuring Guide

In this guide, you will find some infomation of ECS security groups and how to configure these security groups.

When creating an ECS instance of the VPC network, you can either use the default security group or use other existing security groups in the VPC. A security group is a virtual firewall used to control the inbound and outbound traffic of an ECS instance.

Intranet communication

The following are two types of communication methods between ECS instances of the VPC network:

  1. By default, ECS instances in the same security group of the same VPC can communicate with each other.
  2. ECS instances in different VPCs cannot communicate with each other. To achieve communication between two ECS instances in different VPCs, use Express Connect, VPN Gateway, or CEN to connect them. When doing so, make sure the security group rules allow access between the target ECS instances.

Deny the access of specific IP addresses or ports

You can configure security groups to deny the access of specific IP addresses or ports to an ECS instance.

Allow the remote access of a specific IP address

If you have configured a NAT Gateway or EIP for an ECS instance in a VPC, you can add Allow Windows remote logon and Allow Linux SSH logon to allow Windows remote logon or Linux SSH logon.

Allow access from the Internet to the HTTP/HTTPS service deployed on the ECS instance

If you have deployed a website on an ECS instance in a VPC and configured an EIP or NAT Gateway to provide services, configure Allow access to port 80, Allow access to port 443 and Allow access to port 80 to allow access from the Internet.

For details about the security group rules, you can go to Cases for configuring ECS security groups.

Related Documentation

Add an ECS instances to a security group

You can add an ECS instance to one or more security groups based on your business needs. An ECS instance can be added to up to five security groups.

A security group controls access to ECS instances. An ECS instance must belong to one or more (up to five) security groups.

Security group overview - Elastic Compute Service

Security groups are logically isolated groups of instances that are located within the same region and share the same security requirements while also being mutually accessible. They act as virtual firewalls that provide Stateful Packet Inspection (SPI), also known as dynamic packet filtering. In a security group, security group rules can be used to grant or limit the access of ECS instances to the Internet or local private networks.

Advanced security group overview - Elastic Compute Service

Compared with basic security groups, advanced security groups can contain more ECS instances and ENIs, and can manage unlimited private IP addresses. Advanced security groups are applicable to VPC networks, and have a simplified rule adding mechanism. Advanced security groups can be used in scenarios that have higher requirements for O&M efficiency, ECS instance specifications, and computing nodes.

Related Blog Posts

Automating Security Groups Updates on Alibaba Cloud

When you create an Alibaba Cloud Elastic Compute Service (ECS) instance, you also create or specify a security group. This security group acts as a firewall controlling what can access your ECS instance. For Linux instances, one of the rules allows SSH (TCP port 22) access. Best practices require that you only allow SSH access from TCP/IP addresses that you control. By only allowing your TCP/IP addresses through the security group (firewall) you reduce the exposure footprint of your ECS instance.

Creating a security group rule for SSH is very easy on the Alibaba Cloud Console. However, keeping that rule up to date with your current TCP/IP address can be a pain. First you must figure out what your public TCP/IP address is, login to the Alibaba Cloud Console, find your security group and then modify the security group with a new rule for your public IP address and finally delete the old rule.

11 Security Recommendations for Production Instances on Alibaba Cloud

Recently, I have successfully hosted my first three-tier web application, which includes two Elastic Compute Service (ECS) instances, one [ApsaraDB for RDS MySQL] database, a Server Load Balancer, and used Elastic IP and security group to secure them. This is the most common scenario for most applications hosted on the web. Although my system is functioning well, this type of deployment is deficient in terms of cyber security. This is especially true for servers used in production scenarios.

Related Products

Elastic Compute Service

Alibaba Cloud Elastic Compute Service (ECS) provides fast memory and the latest Intel CPUs to help you to power your cloud applications and achieve faster results with low latency. All ECS instances come with Anti-DDoS protection to secure your data and applications from DDoS and Trojan attacks.

Alibaba Cloud Security Services

Alibaba Cloud protects Alibaba Group's own business, such as Double 11 Global Shopping Festival for 10 years. The accumulated extensive experiences from various and massive security attacks ensure that your business threats and attacks are minimized on the cloud.

Related Special Offer

Elastic Compute Service Starter Packages

Alibaba Cloud offers easy-to-use high-performance virtual machines with data transfer plan starting from $2.50 a month now.

0 0 0
Share on

Alibaba Clouder

1,403 posts | 218 followers

You may also like

Comments

Alibaba Clouder

1,403 posts | 218 followers

Related Products

  • Managed Security Service

    Identify vulnerabilities and improve security management of Alibaba Cloud WAF and Anti-DDoS and with a fully managed security service

    Learn More
  • Security Center

    Security Center is a flagship security product that integrates both Server Guard and Threat Detection Service. It is a unified security management system that recognizes, analyzes, and alerts of security threats in real-time.

    Learn More