A security group acts as a virtual firewall for Elastic Compute Service (ECS) instances to control inbound and outbound traffic and improve security. Security groups provide Stateful Packet Inspection (SPI) and packet filtering capabilities. You can use security groups and security group rules to define security domains in the cloud.

Security groups and security group rules

A security group is a logically isolated group of instances within the same region that share the same security requirements. Security groups have the following characteristics:
  • Each instance must be assigned to one or more security groups.
    Note The secondary elastic network interfaces (ENIs) that are attached to an instance can be assigned to security groups different from those of the instance.
  • Instances within different security groups that contain no rules are isolated from each other over the internal network.
  • Security groups that contain no rules deny all inbound access.
  • Security groups are stateful. The maximum session timeout period for a security group is 910 seconds. By default, a security group allows traffic in both directions during the same session. For example, if a request during a session is allowed to flow in, the corresponding response traffic is also allowed to flow out.
Security groups are classified into basic security groups and advanced security groups. Advanced security groups are suitable for enterprise-grade scenarios and can contain more instances, ENIs, and private IP addresses and implement more rigorous levels of access control than basic security groups. In addition to the preceding characteristics of basic security groups, advanced security groups have the following unique characteristics:
  • Advanced security groups support only the Virtual Private Cloud (VPC) network type.
  • Advanced security groups that contain no rules deny all outbound access.
  • Instances within the same advanced security group that contains no rules are isolated from each other over the internal network.
Note An instance cannot be assigned to a basic security group and an advanced security group at the same time. For more information about the limits and quotas of security groups, see the "Security group limits" section of the Limits topic.
The following figures show how a security group to which no rules are added controls access.
  • Basic security groupnormal-sg-default
  • Advanced security groupenterprise-sg-default
You can add rules to a security group to allow or deny access to or from the instances within the security group. You can also modify the rules of a security group. New and modified rules are automatically applied to all instances within the security group. Security group rules can be used to control access to or from specific IP addresses, CIDR blocks, security groups, or prefix lists.
Note Only rules of basic security groups can be configured to control access to or from other security groups.

If an instance is assigned to multiple security groups, the rules of all the security groups are applied to the instance. When an access request is detected, the request is matched against applied security group rules one by one based on the rule attributes such as protocol, port range, and priority. A session is not established until an Allow rule matches the request. For more information about the attributes and examples of security group rules, see Overview.

Default rules are automatically added when you create security groups by using the ECS console. You can modify or delete these rules based on your needs. The following default rules are automatically added to new security groups:
  • Basic security groups: four inbound rules that allow TCP access from all IP addresses to ports 80 (HTTP), 443 (HTTPS), 22 (SSH), and 3389 (RDP) and one inbound rule that allows Internet Control Message Protocol version 4 (ICMPv4) access from all IP addresses to all ports.
    The following figure shows how a basic security group with only the default rules controls access for instances. normal-sg-rule
  • Advanced security groups:
    • Four inbound rules that allow TCP access from all IP addresses to ports 80 (HTTP), 443 (HTTPS), 22 (SSH), and 3389 (RDP) and one inbound rule that allows ICMPv4 access from all IP addresses to all ports.
    • One outbound rule that allows access on all protocols and ports to all IP addresses to avoid network connectivity issues.
    The following figure shows how an advanced security group with only the default rules controls access for instances. enterprise-sg-rule
Note No default rules are automatically added when you create security groups by calling API operations.

Work with security groups

You can perform the following operations to use security groups to control traffic for instances:
  1. Create security groups.
  2. Add rules to the security groups.
  3. Add instances to the security groups.
  4. Manage existing security groups and security group rules based on your needs.
You can perform the following operations to use security groups to control traffic for secondary ENIs:
  1. Create security groups.
  2. Add rules to the security groups.
  3. Add secondary ENIs to the security groups.
  4. Bind secondary ENIs to instances.
  5. Manage existing security groups and security group rules based on your needs.

For information about how to perform operations on security groups and use cases of security groups, see Manage security groups and Security groups for different use casesConfiguration guide for ECS security groups.

Default security groups

Each instance must be assigned to one or more security groups. When you use the ECS console to create instances within a region in which you have not created security groups, you can use the default security group. The system creates a default security group when it creates the instances that you request. The network type of the security group is the same as that of the instances. The default security group is a basic security group that contains default rules, as shown in the following figure. Default security group
Take note of the following items about the default rules:
  • The rules have a priority of 100.
    Note The default security group rules created before May 27, 2020 have a priority of 110.
  • The rules allow TCP access from all IP addresses to ports 22 (SSH) and 3389 (RDP).
  • The rules allow ICMPv4 access from all IP addresses to all ports.
  • If you select Port 80 (HTTP) and Port 443 (HTTPS), rules are automatically added to allow TCP access from all IP addresses to ports 80 (HTTP) and 443 (HTTPS).

Managed security groups

Other Alibaba Cloud services such as Cloud Firewall and NAT Gateway also use security group capabilities. The Alibaba Cloud services create and use managed security groups to ensure service availability and prevent accidental operations on resources. Managed security groups are managed by the Alibaba Cloud services that create them. You can view managed security groups but cannot perform operations on them. For more information, see Managed security groups.

Practical suggestions

  • Use a security group that contains no rules as a whitelist, where all inbound access is denied and you can add rules to allow access to or from specific destinations or sources on specific ports.
  • Follow the principle of least privilege when you add security group rules. For example, to allow connections to port 22 on a Linux instance, we recommend that you add a rule to allow access from specific IP addresses instead of all IP addresses (0.0.0.0/0).
  • Make sure that each security group contains simple and clear rules. A single instance can be assigned to multiple security groups. A single security group can contain multiple rules. If a large number of rules are applied to an instance, management is complex and unforeseen risks can be introduced.
  • Add instances that serve different purposes to different security groups and separately maintain the security group rules applied to the instances. For example, you can add instances that need to be accessible from the Internet to a security group. Then, in the security group, add rules to deny all access and allow inbound access only to ports that are used to provide external services, such as ports 80 and 443. Meanwhile, to ensure that the instances accessible from the Internet do not provide other services (such as MySQL and Redis), we recommend that you deploy internal services on the instances inaccessible from the Internet and then add these instances to another security group.
  • Do not modify security groups in use within the production environment. All changes to a security group are automatically applied to the instances within the security group. Before you change a security group, you can clone, change, and debug it within the testing environment to ensure that the change does not interrupt the communication between the associated instances.
  • Specify identifiable names and tags for security groups for easy search and management.

Properly use security groups and make combined use of security groups and other means as required to improve the security of instances. For more information, see Best practices for security.