All Products
Search
Document Center

Elastic Compute Service:Manage ECS instances in security groups

Last Updated:Jan 24, 2024

A security group acts as a virtual firewall that can control inbound and outbound traffic for Elastic Compute Service (ECS) instances. You can add an ECS instance to one or more security groups based on your business requirements. You can also change the security groups to which an instance belongs.

Background information

  • You can specify one or more security groups for an ECS instance when you create the instance. Then, the instance is added to the security groups. For more information, see Create an instance by using the wizard.

  • An ECS instance and the security groups to which you want to add the instance must use the same network type. If the instance and the security groups all use the Virtual Private Cloud (VPC) network type, they must belong to the same VPC.

  • Security groups are classified into basic and advanced security groups. Each ECS instance can be added to multiple security groups only of the same type. For more information, see Basic and advanced security groups.

  • Each ECS instance must belong to at least one security group. By default, each ECS instance can belong to up to five security groups. For more information, see the Security group limits section in the "Limits" topic.

Procedure

You can perform the following operations to manage the security groups to which an ECS instance belongs:

Add an instance to security groups: You can add an ECS instance to specified security groups. The security groups to which the instance is already added remain unchanged.

Remove an instance from security groups: You can remove an ECS instance from specific security groups.

Replace all security groups of an ECS instance: You can replace all security groups to which an ECS instance belongs with one or more security groups. You can perform this operation to move an ECS instance between the two types of security groups.

You can perform the preceding operations on the Instances page, Instance Details page, and Security Groups page in the ECS console. You can manage ECS instances in security groups from the perspective of ECS instances or security groups.

Manage the security groups of one or more ECS instances on the Instances page

  1. Log on to the ECS console.

  2. In the left-side navigation pane, choose Instances & Images > Instances.

  3. In the top navigation bar, select the region and resource group to which the resource belongs. 地域

  4. On the Instances page, find one or more ECS instances that you want to manage and manage their security groups.

    • Manage the security groups of a single ECS instance

      • On the ECS Instances page, find the ECS instance that you want to manage, choose 图标 > Network and Security Group > Add to Security Group, Remove from Security Group, or Replace Security Group in the Actions column.

      • On the Instances page, find the ECS instance that you want to manage and click the instance ID. The Instance Details page appears. In the Basic Information section on the Instance Details tab, click Add to Security Group.

      • On the Instances page, find the ECS instance that you want to manage and click the instance ID. The instance details page appears. Click the Security Groups tab, and then click Add to Security Group or Replace Security Groups. You can also click Remove in the Actions column corresponding to the security group that you want to manage.

    • Manage the security groups of multiple ECS instances

      On the Instances page, select the ECS instances that you want to manage, choose More > Network and Security Group > Add to Security Group, Remove from Security Group, or Replace Security Groups in the lower part of the page.

  5. In the dialog box that appears, select the security groups that you want to add, remove, or replace.

Manage ECS instances in a security group on the security group details page

  1. Log on to the ECS console.

  2. In the left-side navigation pane, choose Network & Security > Security Groups.

  3. In the top navigation bar, select the region and resource group to which the resource belongs. 地域

  4. Find a security group and choose image > Manage Instances in the Actions column.

  5. Go to the Instances tab of the security group.

    • Add ECS instances to the security group

      1. On the Instances tab, click Add Instance to Security Group in the upper-left corner.

      2. In the Add to Security Group dialog box, select one or more instance IDs and click OK.

        After you add the instances to the security group, the rules of the security group automatically apply to the instances.

    • Remove ECS instances from the security group

      1. Select one or more ECS instances and click Remove from Security Group in the lower part of the instance list.

      2. Click OK.

Use the default security group when you create an ECS instance in the ECS console

If you create an ECS instance in the ECS console and no security groups are available, the system creates a default security group. In this case, you can select the IPv4 ports and protocols that you want to open in the default security group based on your business requirements.

image

For more information about how to create an ECS instance, see Create an instance by using the wizard.

Attributes of default security groups

The following section describes the attributes of each default security group.

  • Security group type: basic security group.

  • Network type: same as the network type of the created ECS instance.

  • Default security group rules:

    • The security group rules have a priority of 100.

      Note

      The default security group rules that are created before May 27, 2020 have a priority of 110.

    • Rule description:

      • Outbound: By default, all outbound access is allowed. All outbound traffic from ECS instances in the default security group is allowed.

      • Inbound: By default, only inbound ICMP access and inbound access on port 22 and port 3389 are allowed. You can specify whether to allow inbound access on HTTP port 80 and HTTPS port 443. If you use ECS instances to build websites, you must allow access on HTTP port 80 and HTTPS port 443.

Default security groups displayed on the Security Groups page

If a security group is displayed on the Security Groups page in the ECS console and has a description similar to System created security group, the security group is a default security group.

image

  • You can add or modify security group rules in addition to the default security group rules to control inbound and outbound traffic and manage the association between the default security group and instances and elastic network interfaces (ENIs) in a more fine-grained manner.

  • If the default security group rules do not meet your business requirements, you can create a custom security group, configure new security group rules, and associate the rules with ECS instances or ENIs. For more information, see Create a security group.