In the default security group, the default rules only apply to the incoming ICMP traffic and the incoming access to SSH port 22, RDP port 3389, HTTP port 80, and HTTPS port 443. Moreover, the default rules vary according to the network type of the security group. If you do not want to add your instance to the default security group, you can create a custom security group.
Context
Each ECS instance must join at least one security group. For more information, see Security groups.
If you did not create a security group before creating an instance, you can use the default security group. For more information, see Default security group rules.
Prerequisites
If you want to create a security group for a VPC, you must first create a VPC and a vSwitch.
Procedure
- Log on to the ECS console.
- In the left-side navigation pane, choose .
- Select a region.
- Click Create Security Group.
- In the displayed Create Security Group dialog box, complete the following configurations:
- Template: Select a template according to the services deployed in the instances inside the security group. Templates are designed to simplify the configuration of security group rules. The following table describes how templates can be applied to various scenarios.
Scenario Template Description Web services need to be deployed in Linux instances in the security group. Web Server Linux By default, incoming access to TCP ports 80/443/22 and incoming ICMP traffic are allowed. Web services need to be deployed in Windows instances in the security group. Web Server Windows By default, incoming access to TCP ports 80/443/3389 and incoming ICMP traffic are allowed. No special requirements Custom After the security group is created, you can add security group rules according to your business needs. Add security group rules - Security Group Name: Enter a name for the security group.
- Description: Enter a description of the security group.
- Network Type:
- To create a security group for a VPC, select VPC, and then select the target VPC.
- To create a security group for the classic network, select Classic.
- Template: Select a template according to the services deployed in the instances inside the security group. Templates are designed to simplify the configuration of security group rules. The following table describes how templates can be applied to various scenarios.
- Click OK.
If you create a new security group without adding any rules, the default rules for both the Internet and intranet apply. Specifically, outbound access is allowed while inbound access is denied.
API operations
You can call CreateSecurityGroup to create a security group.
What to do next
- You can add security group rules to control the Internet- or intranet-based access of your ECS instances. For information about the ports commonly involved in security group rules, see Introduction to common ECS instance ports. For details about typical use cases, see Typical applications of security group rules.