All Products
Search
Document Center

Configure a security group

Last Updated: Aug 25, 2021

Security groups act as virtual firewalls to provide Stateful Packet Inspection (SPI) and packet filtering capabilities and define security domains in the cloud. You can add security group rules to control inbound and outbound traffic for elastic container instances within security groups.

Security group overview

Security group definition

A security group is a logically isolated group of instances within the same region that are mutually trusted and share the same security requirements. The rules of a security group control access to or from the Internet or internal network for the elastic container instances within the security group.

Note

  • Each security group can manage multiple elastic container instances within the same region.

  • Each elastic container instance must belong to a single security group.

Security group types

Security groups are classified into basic security groups and advanced security groups. By default, the following rules are added when a security group is created:

  • Inbound rules that allow access on ports 80 (HTTP), 443 (HTTPS), 22 (SSH), and 3389 (RDP) and an inbound rule that allows Internet Control Message Protocol (ICMP) access on all ports. These rules can be modified.

  • An outbound rule that allows all access on all ports.

The following table describes the differences in features of basic and advanced security groups.

Feature

Basic security group

Advanced security group

Access control policy when the security group contains no rules

  • Inbound: denies all access requests.

  • Outbound: allows all access requests.

  • Inbound: denies all access requests.

  • Outbound: denies all access requests.

Maximum number of private IP addresses

2,000

65,536

Mutual access between instances within the same security group

By default, instances within the same security group can access each other over the internal network.

By default, instances within the same security group are isolated from each other over the internal network. You must manually add security group rules to allow mutual access between the instances.

Control on access to or from other security groups

Rules can be added to control access to or from other security groups.

Rules cannot be added to control access to or from other security groups.

Notice

If your business requires a large number of elastic container instances and high O&M efficiency, we recommend that you use advanced security groups. Compared with basic security groups, advanced security groups can accommodate more elastic container instances and make it easier to configure security group rules.

Security group rules

Rules can be added to security groups to control inbound and outbound traffic. A security group rule is defined by attributes such as the rule direction, action, protocol type, port range, and authorization object. Take note of the following items about security group rules:

  • The total number of inbound and outbound rules in each security group cannot exceed 200.

  • Follow the principle of least privilege when you add security group rules. Examples:

    • Specify single ports such as port 80 in the format of 80/80, instead of a port range such as ports 1 through 80 in the format of 1/80.

    • 0.0.0.0/0 indicates all IP addresses. Do not configure it as the authorization object unless necessary.

For more information, see Overview.

Specify a security group

When you create an elastic container instance, you must specify a security group for the instance.

Notice

The security groups of elastic container instances cannot be changed. To use an elastic container instance within a different security group, create an identical elastic container instance in that security group.

Kubernetes mode

When you use Elastic Container Instance based on Virtual Kubelet in Kubernetes scenarios, all elastic container instances within a cluster are added to the default security group configured by Virtual Kubelet. You can move an elastic container instance to a specified security group based on your needs.

  • Cluster

    You can run the kubectl edit command to modify the eci-profile configuration file of a cluster and change the default security group ID in the data section for the elastic container instances within the cluster.

    Note

    Virtual Kubelet of v2.0.0.90-15deb126e-aliyun or later allows modifications to eci-profile for hot updates. If your Virtual Kubelet version is earlier than v2.0.0.90-15deb126e-aliyun, we recommend that you upgrade your Virtual Kubelet.

    kubectl edit configmap eci-profile -n kube-system

    Modify the securityGroupId field in the data section. Sample code:

    data:
      enableClusterIp: "true"
      enableHybridMode: "false"
      enablePrivateZone: "false"
      resourceGroupId: ""
      securityGroupId: sg-2ze0b9o8pjjzts4h**** #Specify a security group ID.
      selectors: ""
      vSwitchIds: vsw-2zeet2ksvw7f14ryz****,vsw-2ze94pjtfuj9vaymf****  
      vpcId: vpc-2zeghwzptn5zii0w7****
  • Elastic container instance

    You can add annotations to metadata in the pod configuration file to specify a security group for an elastic container instance. Sample code:

    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: demo
      labels:
        app: nginx
    spec:
      replicas: 1
      selector:
        matchLabels:
          app: nginx
      template:
        metadata:
            annotations: 
    
                k8s.aliyun.com/eci-security-group: "sg-bp1dktddjsg5nktv****"      #Specify a security group ID.
    
            labels:
                app: nginx
        spec:
          containers:
          - name: nginx
            image: nginx:latest
    

API mode

When you call the CreateContainerGroup operation to create an elastic container instance, you can use the SecurityGroupId parameter to specify a security group. The following table describes the parameter. For more information, see CreateContainerGroup.

Parameter

Type

Example

Description

SecurityGroupId

String

sg-uf66jeqopgqa9hdn****

The ID of the security group.

Console mode

When you create an elastic container instance on the instance buy page in the Elastic Container Instance console, you can specify a security group for the instance.

Security Group

Add security group rules

You can add rules to a security group to control inbound and outbound traffic for the elastic container instances within the security group.

  • If your elastic container instance needs to communicate with a network outside the security group to which the instance belongs, you can add a security group rule to allow the instance access to the network.

  • When attacks are detected from request sources during the operation of elastic container instances, you can add security group rules to block the malicious requests.

For more information about how to add security group rules, see Add security group rules.