Security groups act as virtual firewalls that provide Stateful Packet Inspection (SPI) and packet filtering functions and are used to isolate security domains on the cloud. You can configure security group rules to control the inbound and outbound traffic of ECS instances in the group.
Characteristics
A security group can contain instances located in the same region. These instances
have the same security requirements and trust each other. Security groups have the
following characteristics:
- Each ECS instance must belong to at least one security group and can be added to multiple security groups at the same time.
- A security group can manage multiple ECS instances.
- By default, ECS instances in the same security group can communicate with each other over the internal network.
- By default, instances in different security groups cannot communicate with each other when no security group rule that allows access is configured.
- You can configure security group rules for only basic security groups to authorize mutual access between two security groups.
- Security groups are stateful. The maximum session timeout for a security group is 910 seconds. By default, a security group allows all directions of traffic in the same session. For example, if the request traffic during a session is allowed to flow in, the response traffic is also allowed to flow out.
Security group types
Security groups are classified into basic security groups and advanced security groups. The following table lists the differences between the two types.
| Security group type | Security group rule type | Security group rule priority | Inbound rule policy | Outbound rule policy | Scenario |
|---|---|---|---|---|---|
| Basic security groups | Default rules | Depends on the security group template. * | Depends on the security group template. * | Allows all access requests. | Scenarios that require fine-grained network control, multiple ECS instance types, and moderate network connections |
| Custom rules | Allows you to specify a value between 1 and 100. | Supports the allow and deny policies. Allows you to add inbound rules as needed. ** | Allows you to add outbound rules as needed. ** | ||
| Advanced security groups | Default rules | The value is 1 and cannot be modified. | Depends on the security group template. * | Depends on the security group template. * | Scenarios that have high requirements on O&M efficiency, ECS instance types, and computing nodes |
| Custom rules | Supports the allow policy. Allows you to add inbound rules as needed. ** | Allows you to add outbound rules as needed. ** |
* When you create a security group in the ECS console, you can select Web Server Linux (allows traffic on port 80, 443, 22, and ICMP traffic), Web Server Windows (allows traffic on port 80, 443, 3389, and ICMP traffic), and a custom security group template that denies all access requests in the inbound direction.
** For more information about how to add custom security group rules, see Add security group rules.
This topic describes the concepts in basic security groups and best practices. For information about advanced security groups, see Advanced security group overview.
Default security group
After you create an ECS instance in a region through the ECS console, a default security
group is created if no security group has been created under the current account in
this region. The default security group is a basic security group and has the same
network type as the instance.
The default security group has the following security group rules:
- Inbound: By default, traffic on SSH port 22 and RDP port 3389, and ICMP traffic are allowed. You can also allow traffic on HTTP port 80 and HTTPS port 443. The rule priority is 110.
- Outbound: All accesses are allowed.
Limits
For information about the limits of security groups, see the Security group limits section in Limits.
Workflow
The following figure shows the workflow of a basic security group. For information
about the workflow of an advanced security group, see Advanced security group overview.
Security group rules
Before a connection for data communication is established, the security group matches
all the rules to decide whether to allow the access requests. A security group rule
has the following attributes shown in the following table.
| Network type | NIC type | Rule direction | Authorization policy | Protocol type | Port range | Priority | Authorization type | Authorization object |
|---|---|---|---|---|---|---|---|---|
| VPC | Not required | Inbound and outbound | Allow and deny | Application layer protocols such as SSH, ICMP, and RDP | Ports opened by applications or protocols | 1 to 100 for custom rules and 110 for default rules | Security group access and CIDR block access | CIDR blocks and security group IDs |
| Classic network | Internal network and Internet |
Different attributes of security group rules are required for different communication
scenarios. For information about examples of rule configuration, see Scenarios for security groups. For example, when you log on to a Linux ECS instance by using an Xshell client,
a security group detects an SSH request from the Internet or internal network. The
security group then matches each inbound rule to check whether the IP address of the
request sender exists, whether the rule priority is the highest, whether the inbound
traffic is allowed, and whether port 22 is opened. If only one such rule exists, the
connection for data communication is established. The following figure shows how the security group matches its rules to control the
access request for a Linux ECS instance.
Security group rule priority
For security group rules with the same type, the rule with the highest priority takes
effect. When an ECS instance is added to multiple security groups, the rules of those
groups are matched in descending order of priority. The priority of a rule has the
following values based on how the rule is added. A smaller value indicates a higher
priority.
- For manually added rules, the values are between 1 and 100.
- For rules that are added by the system or created by using a template, the value is 110.
Note Advanced security groups do not support rule priority configuration.
In one security group or between different security groups, if two security group
rules have the same protocol type, port range, authorization type, and authorization
object, which rule takes effect depends on the priority and authorization policy settings
of each rule.
- If a deny rule and an allow rule have the same priority, the deny rule takes precedence.
- If two rules have different priorities, the rule with a higher priority takes effect.
NIC types
For basic security groups, the NIC type settings of security group rules vary by network
types.
- For classic networks, you can select Internal Network or Internet as the NIC type.
- For VPC, only Internal Network is available for the NIC type. However, the configured
security group rules apply to both the internal network and the Internet at the same
time. Internet network access to and from VPC-type ECS instances is mapped and forwarded
by internal NICs. Therefore, the Internet NIC type is not available in VPC-type ECS
instances. You can only set security group rules with the Internal NIC type.
Note Advanced security groups only support VPCs.
Best practices
When you use security groups, we recommend that you:
- Use security groups as a whitelist when only a few requests are allowed to access ECS instances of security groups. Set the rule policy of all security groups to deny access requests first, and then set the rule policy of these security groups one by one to allow access requests.
- Do not use a security group to manage all applications because isolation requirements are different at different layers.
- Add instances with the same security requirements to the same security group. Do not create a separate security group for each instance.
When you add security group rules, we recommend that you:
- Set simple security group rules. If you add an ECS instance to multiple security groups, hundreds of rules may apply to the instance. Any changes to these rules may cause connection errors.
- Follow the least privilege principle when you configure inbound or outbound rules
for applications. For example, you:
- Select a specific port (instead of a port range) to open, for example, port 80/80.
- When you add security group rules, do not grant access permission to the 0.0.0.0/0 CIDR block unless necessary.
- Clone an active security group when you want to modify its rules in the production environment. You can modify the rules on the cloned security group to avoid impacts on online applications. For more information about how to clone a security group, see Clone a security group.