All Products
Search
Document Center

Elastic Compute Service:Overview

Last Updated:Mar 07, 2024

A security group acts as a virtual firewall that can control inbound and outbound traffic for Elastic Compute Service (ECS) instances. You can configure inbound rules for a security group to control traffic to ECS instances in the group and outbound rules to control traffic from the instances.

When you create an ECS instance, you can specify one or more security groups for the instance. If you do not specify security groups when you create an ECS instance, the default security group is used. The rules in the security groups that are associated with an ECS instance are sorted based on specific policies and take effect at the same time to control traffic for the instance.

You can create, modify, or delete a rule for a security group. The configuration automatically takes effect for all ECS instances in the security group. For more information, see Security group rules. You can modify security groups that are associated with an ECS instance. The security group rules that apply to the instance are automatically modified. The rules in security groups that are associated with an ECS instance apply to the primary elastic network interface (ENI) of the instance. If you deploy an ECS instance that is associated with other ENIs in a virtual private cloud (VPC), you can specify different security groups for the ENIs. A security group takes effect only in the VPC to which the security group belongs. If you create an ECS instance in a VPC, you must specify a vSwitch and a security group that belong to the VPC for the instance.

Security groups provide two main features: intra-group communication and inter-group communication configuration. If a security group supports intra-group communication, ECS instances in the security group can communicate with each other over the internal network. If a security group supports inter-group communication configuration, when you create a rule in the security group, you can reference another security group as an authorization object (source or destination) in the rule to allow or deny access from ECS instances in the security group over the internal network. Security groups can be classified into basic and advanced security groups that are suitable for different scenarios. Both types are provided free of charge. Basic security groups support the preceding two features. Compared with advanced security groups, basic security groups can contain a smaller number of private IP addresses. Advanced security groups can contain a greater number of private IP addresses, but do not support intra-group communication or inter-group communication configuration. If you specify multiple security groups when you create an ECS instance, each ENI can use only one type of security group. We recommend that you select a type of security group based on your business requirements. For more information, see Basic and advanced security groups.

If the value of ServiceManaged is True in the response of the DescribeSecurityGroups operation or if a message similar to This security group is managed by a cloud service and cannot be modified is displayed for a security group in the ECS console, the security group is a managed security group. Managed security groups belong to Alibaba Cloud accounts and can be viewed by using the accounts, but can be managed only by cloud services. For more information, see Managed security groups.

If InvalidOperation.DeletionProtection is returned when you call the DeleteSecurityGroup operation to delete a security group, or if a message similar to Deletion Protection is displayed when you delete a security group in the ECS console, the deletion protection feature is enabled for the security group. When you create a Container Service for Kubernetes (ACK) cluster, the deletion protection feature is enabled for an associated security group to prevent accidental deletion. You cannot manually disable the deletion protection feature for the security group. The deletion protection feature can be automatically disabled only after the ACK cluster is deleted. For more information, see Configure security group rules to enforce access control on ACK clusters.

Properly use security groups alone or together with other methods to improve the security of your ECS instances. For more information, see ECS instance security.

Best practices

This section describes best practices for using security groups.

  • Planning

    You can specify the name, description, tags, and resource group of a security group based on your business requirements. We recommend that you specify information in the settings that can help you search and manage security groups.

  • Use the whitelist

    By default, all access to a security group is denied. You can add a rule to the security group to allow access from specific authorization objects on specific ports.

  • Follow the principle of least privilege when you add security group rules

    For example, if you want to allow connections to be established to port 22 on a Linux instance, we recommend that you add a rule to allow access only from specific IP addresses instead of all IP addresses (0.0.0.0/0).

  • Follow the principle of least privilege

    If you do not require intra-group communication for a basic security group, configure the internal access control policy of the security group to isolate the ECS instances in the security group from each other.

  • Keep the rules in each security group concise

    Add rules to security groups based on the purposes of the security groups, and then add ECS instances to the security groups. Adding a large number of rules to a single security group makes the security group harder to manage. You can perform a health check on a security group to identify redundant rules in the security group. For more information, see Identify redundant security group rules.

  • Add instances that serve different purposes to different security groups and maintain the rules for each group separately from other groups

    For example, you can add ECS instances that are accessible over the Internet to the same security group and allow access only on specific ports that provide external services, such as port 80 and port 443. By default, access to other ports is denied. To ensure that the ECS instances that are accessible over the Internet do not provide other services, such as MySQL and Redis, we recommend that you deploy internal services on the instances that are inaccessible over the Internet, and then add the instances to another security group.

  • Do not modify security groups that are used within the production environment

    You can clone a security group and modify the clone security group for testing. If the ECS instances in the clone security group run as expected after you modify the clone security group, modify the rules of the original security group.

    Note

    A single ECS instance may be associated with multiple security groups. For information about how to check all inbound or outbound rules that apply to the instance, see View the rules of multiple security groups.

Operations

Use the ECS API

References

For information about security group quotas, see Limits.