This topic describes how to manage security groups. You can manage security groups by using the ECS console or by calling API operations.
You can manage security groups by using the ECS console or by calling API operations. The following figure shows the workflow of a security group.
- Manage ECS instances
- Manage ENIs
- When you create the security group by using the ECS console, a security group rule is automatically added to allow all outbound traffic. We recommend that you keep the rule unchanged to avoid network connectivity issues.
- When you create the security group by calling an API operation, no security group rules are added. All outbound traffic is denied by default. We recommend that you manually add security group rules.
Operation in the ECS console
|Create a security group||You can create a security group.||Create a security group|
|Add security group rules||After you create a security group, you can add or modify security group rules to control inbound or outbound network access.||Add security group rules|
|Add an ECS instance to a security group||You can add instances to security groups to control network access in a centralized manner. An ECS instance cannot belong to both a basic and an advanced security group at the same time. If the instance is already added to a basic security group, you can replace the basic security group with an advanced security group.|
|Add an ENI to a security group||You can add ENIs to security groups to control network access in a centralized manner. If the ENI is already added to a basic security group, you can modify the ENI to add it to an advanced security group.||Modify an ENI|
|Bind the ENI to an ECS instance||After an ENI is bound to an instance, the security group rules immediately take effect on the ENI.||Bind an ENI|
|Manage security groups||You can query, modify, clone, and delete security groups as well as remove instances from security groups.|
|Manage security group rules||You can query, modify, restore, export, import, and delete security group rules.|
|CreateSecurityGroup||Creates a security group.
Note Before you create an advanced security group, make sure that a VPC and a vSwitch are available.
|AuthorizeSecurityGroup||Creates an inbound security group rule. This operation allows or denies the inbound traffic from other devices to ECS instances in the security group.|
|AuthorizeSecurityGroupEgress||Creates an outbound security group rule. This operation allows or denies the outbound traffic from ECS instances in the security group to other devices.|
|JoinSecurityGroup||Adds an ECS instance to a specified security group.|
|ModifyInstanceAttribute||Switches an ECS instance to a security group of a different type. If an instance belongs to a basic security group, you can call the ModifyInstanceAttribute operation to replace the security group with an advanced security group.
Note Before you switch an ECS instance to a security group of a different type, you must understand the differences between the rule configurations of the two security group types to avoid affecting the instance network.
|ModifyNetworkInterfaceAttribute||Modifies the security group of an ENI. If an ENI belongs to a basic security group, you can call the ModifyNetworkInterfaceAttribute operation to add the ENI to an advanced security group.|
|AttachNetworkInterface||Binds an ENI that is already added to a security group to an ECS instance in a VPC.|
|DescribeSecurityGroups||Queries security groups that you have created within the current region.|