Security groups function as virtual firewalls that provide Stateful Packet Inspection (SPI) and packet filtering capabilities to isolate security domains on the cloud. You can configure security group rules to control the inbound and outbound traffic of ECS instances in security groups.
Definition and characteristics
A security group is a logically isolated, mutually accessible group of instances within the same region that all share the same security requirements.
- Each ECS instance must belong to at least one security group and can belong to multiple security groups at the same time.
- A security group can manage multiple ECS instances within the same region.
- ECS instances in different security groups cannot communicate with each other over the internal network. However, you can configure security group rules to allow access between the security groups.
- Security groups are stateful. The maximum session timeout period for a security group is 910 seconds. By default, a security group allows traffic in all directions within the same session. For example, if request traffic during a session is allowed to flow in, response traffic is also allowed to flow out.
Security group types
Security groups are classified into basic security groups and advanced security groups. The following table compares the features of the two types.
|Feature||Basic security group||Advanced security group|
|Support all instance types||Yes||No. Only VPC-type instances are supported.|
|Network types||Supports VPCs and the classic network.||Supports VPCs only.|
|Access policy when no rules are added||
|Manually add rules||Supports both allow and forbid policies.||Supports only allow policies.|
|Set rule priorities||The default value is 1 and can be modified.||The value is fixed to 1 and cannot be modified.|
|Allow access to or from other security groups||Supports access to or from other security groups.||Does not support access to or from other security groups.|
|Bind ENIs to instances of any instance type||No. The instance must be of the VPC type.||No. The instance must be of the VPC type.|
|Maximum number of private IP addresses||2,000||65,536|
|Mutual access between instances within the same security group||Allows mutual access between instances over the internal network by default.||By default, instances are isolated from each other over the internal network. You must manually add security group rules to allow access between the instances.|
|Scenario||Scenarios that require fine-grained network control, multiple ECS instance types, and moderate network connections.||Scenarios that have high requirements on O&M efficiency, ECS instance types, and compute nodes.|
Security group rules
|NIC type||Depending on the network type of the instance:
|Rule direction||Both inbound and outbound security group rules are allowed.|
|Action||Both allow and forbid rules are supported.
Note For advanced security groups, you can set only allow rules.
|Protocol type||Application layer protocols such as SSH, ICMP, and RDP.|
|Port range||Ports enabled for applications or protocols. For more information, see Common ports used by applications.|
The value can range from 1 to 100. A smaller value indicates a higher priority.
For security group rules of the same type, the rule that has the highest priority takes effect. When an ECS instance is added to multiple security groups, the rules of those groups are matched in descending order of priority. In one security group or between different security groups, if two security group rules have the same protocol type, port range, action, and authorization object, which rule takes effect depends on the priority and action settings of each rule.
Note For advanced security groups, the priority is fixed to 1 and cannot be modified.
|Authorization type||CIDR blocks and security groups.
Note For advanced security groups, you cannot set this parameter to security group or authorize mutual access between two security groups.
|Authorization object||CIDR blocks and security group IDs.
Note For advanced security groups, you cannot set security group IDs or authorize mutual access between two security groups.
For information about examples of rule configuration, see Scenarios for security groupsConfiguration guide for ECS security groups.
Default security groups
- ICMP traffic and traffic over SSH port 22 and RDP port 3389 is allowed. The authorization object is 0.0.0.0/0.
- You can also allow traffic over HTTP port 80 and HTTPS port 443.
- The rule priority is 100.
Note The priority of default security group rules created before May 27, 2020 is 110.
- Outbound: All access requests are allowed.
- An ECS instance cannot belong to both a basic and an advanced security group at the same time.
- An ENI cannot belong to both a basic and an advanced security group at the same time.
For information about the limits and quotas of security groups, see the "Security group limits" section in Limits.
For information about the workflow of a security group, see Manage security groups. The following section provides some practical suggestions.
- Use security groups as a whitelist when only a few requests are allowed to access ECS instances in the security groups. Configure deny rules for all security groups and then add allow rules one by one to allow access requests.
- Do not use a security group to manage all applications because isolation requirements are different at different layers.
- Add instances that have the same security requirements to the same security group. Do not create a separate security group for each instance.
- Configure simple security group rules. If you add an ECS instance to multiple security groups, hundreds of rules may apply to the instance. Any changes to these rules may cause connection errors.
- If you want to modify the rules of a security group in the production environment, we recommend that you first test the modification on a cloned security group to avoid potential impacts on online applications. For more information about how to clone a security group, see Clone a security group.
- Follow the least privilege principle when you configure inbound or outbound rules
for applications. For example, we recommend that you adhere to the following best
- Select a specific port over which to allow traffic, such as 80/80. Do not set a range of ports, such as 1/80.
- When you add security group rules, do not grant access permissions to the 0.0.0.0/0 CIDR block unless necessary.