A security group is a virtual firewall for an ECS instance. This topic describes how to create a security group in the ECS console.
Background
An ECS instance must belong to one or more security groups. If no security group is created when you create an ECS instance, a default security group will be created. The default security group only has inbound rules configured for the ICMP protocol, SSH port 22, RDP port 3389, HTTP port 80, and HTTPS port 443. For more information, see Security group overview. If you do not want the ECS instance to be added to the default security group, you can create a security group as described in this topic.
Prerequisites
If you want to create a VPC-type security group, confirm that a VPC and a VSwitch have been created. For more information, see Create a VPC and a VSwitch.
Procedure
- Log on to the ECS console.
- In the left-side navigation pane, choose .
- Click Create Security Group.
- In the Create Security Group dialog box, configure the following parameters:
- Template: If the instances in the security group are for Web server deployment, select a suitable
template to simplify security group rule configuration.
Template Description Scenario Web Server Linux Inbound traffic to TCP port 80, TCP port 443, TCP port 22, and for the ICMP protocol is allowed by default. A Web server must be deployed on the Linux instances in the security group. Web Server Windows By default, inbound traffic to TCP port 80, TCP port 443, TCP port 3389, and for the ICMP protocol is allowed. A Web server must be deployed on the Windows instances in the security group. Customize After creating a security group, you need to add security group rules. Not for Web server - Security Group Name: specify a valid security group name.
- Description: the description of the security group for later management.
- Security Group Type:
- Basic Security Group: can be used in scenarios that have higher requirements for refined network control, and prefer multiple ECS instance types and moderate network connections. For more information, see Security group overview.
- Advanced Security Group: can be used in scenarios that have higher requirements for O&M efficiency, ECS instance specifications, and computing nodes. For more information, see Advanced security group overview.
Note An ECS instance cannot be added to both a basic security group and an advanced security group. - Network Type:
- To create a classic network-type security group, select Classic.
- To create a VPC-type security group, select VPC and then a specific VPC.
Note You must select VPC for an advanced security group.
- Template: If the instances in the security group are for Web server deployment, select a suitable
template to simplify security group rule configuration.
- Click OK.
Results
After the security group is created, a new security group is added to the security group list. If you select a custom template, we recommend that you configure security group rules as prompted on the page.
Related APIs
You can call CreateSecurityGroup to create a security group.
Next operations
- You can add security group rules to allow or deny access to the public or internal networks from ECS instances in security groups.
- An ECS instance must belong to one or more security groups. You can add an instance to one or more security groups based on your business needs.