This topic describes how to manage security groups. You can manage security groups by using the ECS console or by calling API operations.

Workflow

You can manage security groups by using the ECS console or by calling API operations. The following figure shows the workflow of a security group.

  • Manage ECS instancesWorkflow
  • Manage ENIsWorkflow - ENI
Notice When you create an advanced security group by using the ECS console or by calling an API operation, you can configure outbound rules by adhering to the following guidelines:
  • When you create the security group by using the ECS console, a security group rule is automatically added to allow all outbound traffic. We recommend that you keep the rule unchanged to avoid network connectivity issues.
  • When you create the security group by calling an API operation, no security group rules are added. All outbound traffic is denied by default. We recommend that you manually add security group rules.

Operation in the ECS console

The following table describes the operations that you can perform in the ECS console to manage security groups.
Operation Description Reference
Create a security group You can create a security group. Create a security group
Add security group rules After you create a security group, you can add or modify security group rules to control inbound or outbound network access. Add security group rules
Add an ECS instance to a security group You can add instances to security groups to control network access in a centralized manner. An ECS instance cannot belong to both a basic and an advanced security group at the same time. If the instance is already added to a basic security group, you can replace the basic security group with an advanced security group.
Add an ENI to a security group You can add ENIs to security groups to control network access in a centralized manner. If the ENI is already added to a basic security group, you can modify the ENI to add it to an advanced security group. Modify an ENI
Bind the ENI to an ECS instance After an ENI is bound to an instance, the security group rules immediately take effect on the ENI. Attach an ENI
Manage security groups You can query, modify, clone, and delete security groups as well as remove instances from security groups.
Manage security group rules You can query, modify, restore, export, import, and delete security group rules.

API operations

The following table lists the API operations that you can use to manage security groups.
Operation Description
CreateSecurityGroup Creates a security group.
Note Before you create an advanced security group, make sure that a VPC and a VSwitch are available.
AuthorizeSecurityGroup Creates an inbound security group rule. This operation allows or denies the inbound traffic from other devices to ECS instances in the security group.
AuthorizeSecurityGroupEgress Creates an outbound security group rule. This operation allows or denies the outbound traffic from ECS instances in the security group to other devices.
JoinSecurityGroup Adds an ECS instance to a specified security group.
ModifyInstanceAttribute Switches an ECS instance to a security group of a different type. If an instance belongs to a basic security group, you can call the ModifyInstanceAttribute operation to replace the security group with an advanced security group.
Note Before you switch an ECS instance to a security group of a different type, you must understand the differences between the rule configurations of the two security group types to avoid affecting the instance network.
ModifyNetworkInterfaceAttribute Modifies the security group of an ENI. If an ENI belongs to a basic security group, you can call the ModifyNetworkInterfaceAttribute operation to add the ENI to an advanced security group.
AttachNetworkInterface Binds an ENI that is already added to a security group to an ECS instance in a VPC.
DescribeSecurityGroups Queries security groups that you have created within the current region.