Security groups act as virtual firewalls that provide Stateful Packet Inspection (SPI) and packet filtering functions and are used to isolate security domains on the cloud. You can configure security group rules to control the inbound and outbound traffic of ECS instances in the group.

Characteristics

A security group can contain instances located in the same region. These instances have the same security requirements and trust each other. Security groups have the following characteristics:
  • Each ECS instance must belong to at least one security group and can be added to multiple security groups at the same time.
  • A security group can manage multiple ECS instances.
  • By default, ECS instances in the same security group can communicate with each other over the internal network.
  • By default, instances in different security groups cannot communicate with each other when no security group rule that allows access is configured.
  • You can configure security group rules for only basic security groups to authorize mutual access between two security groups.
  • Security groups are stateful. The maximum session timeout for a security group is 910 seconds. By default, a security group allows all directions of traffic in the same session. For example, if the request traffic during a session is allowed to flow in, the response traffic is also allowed to flow out.

Security group types

Security groups are classified into basic security groups and advanced security groups. The following table lists the differences between the two types.

Security group type Security group rule type Security group rule priority Inbound rule policy Outbound rule policy Scenario
Basic security groups Default rules Depends on the security group template. * Depends on the security group template. * Allows all access requests. Scenarios that require fine-grained network control, multiple ECS instance types, and moderate network connections
Custom rules Allows you to specify a value between 1 and 100. Supports the allow and deny policies. Allows you to add inbound rules as needed. ** Allows you to add outbound rules as needed. **
Advanced security groups Default rules The value is 1 and cannot be modified. Depends on the security group template. * Depends on the security group template. * Scenarios that have high requirements on O&M efficiency, ECS instance types, and computing nodes
Custom rules Supports the allow policy. Allows you to add inbound rules as needed. ** Allows you to add outbound rules as needed. **

* When you create a security group in the ECS console, you can select Web Server Linux (allows traffic on port 80, 443, 22, and ICMP traffic), Web Server Windows (allows traffic on port 80, 443, 3389, and ICMP traffic), and a custom security group template that denies all access requests in the inbound direction.

** For more information about how to add custom security group rules, see Add security group rules.

This topic describes the concepts in basic security groups and best practices. For information about advanced security groups, see Advanced security group overview.

Default security group

After you create an ECS instance in a region through the ECS console, a default security group is created if no security group has been created under the current account in this region. The default security group is a basic security group and has the same network type as the instance.Default security group
The default security group has the following security group rules:
  • Inbound: By default, traffic on SSH port 22 and RDP port 3389, and ICMP traffic are allowed. You can also allow traffic on HTTP port 80 and HTTPS port 443. The rule priority is 110.
  • Outbound: All accesses are allowed.

Limits

For information about the limits of security groups, see the Security group limits section in Limits.

Workflow

The following figure shows the workflow of a basic security group. For information about the workflow of an advanced security group, see Advanced security group overview.Basic security group workflow

Security group rules

Before a connection for data communication is established, the security group matches all the rules to decide whether to allow the access requests. A security group rule has the following attributes shown in the following table.
Network type NIC type Rule direction Authorization policy Protocol type Port range Priority Authorization type Authorization object
VPC Not required Inbound and outbound Allow and deny Application layer protocols such as SSH, ICMP, and RDP Ports opened by applications or protocols 1 to 100 for custom rules and 110 for default rules Security group access and CIDR block access CIDR blocks and security group IDs
Classic network Internal network and Internet
Different attributes of security group rules are required for different communication scenarios. For information about examples of rule configuration, see Scenarios for security groups. For example, when you log on to a Linux ECS instance by using an Xshell client, a security group detects an SSH request from the Internet or internal network. The security group then matches each inbound rule to check whether the IP address of the request sender exists, whether the rule priority is the highest, whether the inbound traffic is allowed, and whether port 22 is opened. If only one such rule exists, the connection for data communication is established. The following figure shows how the security group matches its rules to control the access request for a Linux ECS instance.Match security group rules

Security group rule priority

For security group rules with the same type, the rule with the highest priority takes effect. When an ECS instance is added to multiple security groups, the rules of those groups are matched in descending order of priority. The priority of a rule has the following values based on how the rule is added. A smaller value indicates a higher priority.
  • For manually added rules, the values are between 1 and 100.
  • For rules that are added by the system or created by using a template, the value is 110.
Note Advanced security groups do not support rule priority configuration.
In one security group or between different security groups, if two security group rules have the same protocol type, port range, authorization type, and authorization object, which rule takes effect depends on the priority and authorization policy settings of each rule.
  • If a deny rule and an allow rule have the same priority, the deny rule takes precedence.
  • If two rules have different priorities, the rule with a higher priority takes effect.

NIC types

For basic security groups, the NIC type settings of security group rules vary by network types.
  • For classic networks, you can select Internal Network or Internet as the NIC type.
  • For VPC, only Internal Network is available for the NIC type. However, the configured security group rules apply to both the internal network and the Internet at the same time. Internet network access to and from VPC-type ECS instances is mapped and forwarded by internal NICs. Therefore, the Internet NIC type is not available in VPC-type ECS instances. You can only set security group rules with the Internal NIC type.
    Note Advanced security groups only support VPCs.

Best practices

When you use security groups, we recommend that you:
  • Use security groups as a whitelist when only a few requests are allowed to access ECS instances of security groups. Set the rule policy of all security groups to deny access requests first, and then set the rule policy of these security groups one by one to allow access requests.
  • Do not use a security group to manage all applications because isolation requirements are different at different layers.
  • Add instances with the same security requirements to the same security group. Do not create a separate security group for each instance.
When you add security group rules, we recommend that you:
  • Set simple security group rules. If you add an ECS instance to multiple security groups, hundreds of rules may apply to the instance. Any changes to these rules may cause connection errors.
  • Follow the least privilege principle when you configure inbound or outbound rules for applications. For example, you:
    • Select a specific port (instead of a port range) to open, for example, port 80/80.
    • When you add security group rules, do not grant access permission to the 0.0.0.0/0 CIDR block unless necessary.
  • Clone an active security group when you want to modify its rules in the production environment. You can modify the rules on the cloned security group to avoid impacts on online applications. For more information about how to clone a security group, see Clone a security group.