Security groups act as virtual firewalls that provide Stateful Packet Inspection (SPI) and packet filtering functions and are used to isolate security domains on the cloud. You can configure security group rules to control the inbound and outbound traffic of ECS instances in the group.
- Each ECS instance must belong to at least one security group and can be added to multiple security groups at the same time.
- A security group can manage multiple ECS instances.
- By default, ECS instances in the same security group can communicate with each other over the internal network.
- By default, instances in different security groups cannot communicate with each other when no security group rule that allows access is configured.
- You can configure security group rules for only basic security groups to authorize mutual access between two security groups.
- Security groups are stateful. The maximum session timeout for a security group is 910 seconds. By default, a security group allows all directions of traffic in the same session. For example, if the request traffic during a session is allowed to flow in, the response traffic is also allowed to flow out.
Security group types
Security groups are classified into basic security groups and advanced security groups. The following table lists the differences between the two types.
|Security group type||Security group rule type||Security group rule priority||Inbound rule policy||Outbound rule policy||Scenario|
|Basic security groups||Default rules||Depends on the security group template. *||Depends on the security group template. *||Allows all access requests.||Scenarios that require fine-grained network control, multiple ECS instance types, and moderate network connections|
|Custom rules||Allows you to specify a value between 1 and 100.||Supports the allow and deny policies. Allows you to add inbound rules as needed. **||Allows you to add outbound rules as needed. **|
|Advanced security groups||Default rules||The value is 1 and cannot be modified.||Depends on the security group template. *||Depends on the security group template. *||Scenarios that have high requirements on O&M efficiency, ECS instance types, and computing nodes|
|Custom rules||Supports the allow policy. Allows you to add inbound rules as needed. **||Allows you to add outbound rules as needed. **|
* When you create a security group in the ECS console, you can select Web Server Linux (allows traffic on port 80, 443, 22, and ICMP traffic), Web Server Windows (allows traffic on port 80, 443, 3389, and ICMP traffic), and a custom security group template that denies all access requests in the inbound direction.
** For more information about how to add custom security group rules, see Add security group rules.
This topic describes the concepts in basic security groups and best practices. For information about advanced security groups, see Advanced security group overview.
Default security group
- Inbound: By default, traffic on SSH port 22 and RDP port 3389, and ICMP traffic are allowed. You can also allow traffic on HTTP port 80 and HTTPS port 443. The rule priority is 110.
- Outbound: All accesses are allowed.
For information about the limits of security groups, see the Security group limits section in Limits.
Security group rules
|Network type||NIC type||Rule direction||Authorization policy||Protocol type||Port range||Priority||Authorization type||Authorization object|
|VPC||Not required||Inbound and outbound||Allow and deny||Application layer protocols such as SSH, ICMP, and RDP||Ports opened by applications or protocols||1 to 100 for custom rules and 110 for default rules||Security group access and CIDR block access||CIDR blocks and security group IDs|
|Classic network||Internal network and Internet|
Security group rule priority
- For manually added rules, the values are between 1 and 100.
- For rules that are added by the system or created by using a template, the value is 110.
- If a deny rule and an allow rule have the same priority, the deny rule takes precedence.
- If two rules have different priorities, the rule with a higher priority takes effect.
- For classic networks, you can select Internal Network or Internet as the NIC type.
- For VPC, only Internal Network is available for the NIC type. However, the configured
security group rules apply to both the internal network and the Internet at the same
time. Internet network access to and from VPC-type ECS instances is mapped and forwarded
by internal NICs. Therefore, the Internet NIC type is not available in VPC-type ECS
instances. You can only set security group rules with the Internal NIC type.
Note Advanced security groups only support VPCs.
- Use security groups as a whitelist when only a few requests are allowed to access ECS instances of security groups. Set the rule policy of all security groups to deny access requests first, and then set the rule policy of these security groups one by one to allow access requests.
- Do not use a security group to manage all applications because isolation requirements are different at different layers.
- Add instances with the same security requirements to the same security group. Do not create a separate security group for each instance.
- Set simple security group rules. If you add an ECS instance to multiple security groups, hundreds of rules may apply to the instance. Any changes to these rules may cause connection errors.
- Follow the least privilege principle when you configure inbound or outbound rules
for applications. For example, you:
- Select a specific port (instead of a port range) to open, for example, port 80/80.
- When you add security group rules, do not grant access permission to the 0.0.0.0/0 CIDR block unless necessary.
- Clone an active security group when you want to modify its rules in the production environment. You can modify the rules on the cloned security group to avoid impacts on online applications. For more information about how to clone a security group, see Clone a security group.