Each ECS instance must join at least one security group. For more information, see security group.

If you have not created a security group prior to creating an ECS instance, we recommend that you use the default security group provided by the system. For more information, see default security group rules.

Alternatively, you can create a security group to meet your business needs and then add your instances to it. This topic describes how to create a security group.

Prerequisite

To create a VPC-Connected security group, you must have created a VPC.

Note

You can create a VPC-Connected security group across VSwitches, but not across VPCs.

Procedure

  1. Log on to the  ECS console.
  2. In the left-side navigation pane, select Networks and Security > Security Groups.
  3. Select the target region.
  4. Click Create Security Group.
  5. In the Create Security Group dialog box, complete the following configurations:
    • Template: If the instances in the security group are for Web server deployment, select an appropriate template to simplify security group rule configuration.
      Setting Template Note
      To deploy a Web server on the Linux instances in the security group Web Server Linux By default, inbound traffic to TCP 80, TCP 443, TCP 22, and ICMP is allowed.
      To deploy a Web server on the Windows instances in the security group Web Server Windows By default, inbound traffic to port TCP 80, TCP 443, TCP 3389, and ICMP is allowed.
      Not for Web server Custom After the security group is created, you can add security group rules as needed.
    • Security Group Name: Enter a name for the security group.
    • Description: Enter a description of the security group for easier management.
    • Network Type:
      • To create a VPC-Connected security group, select VPC and then select the target VPC.
      • To create a Classic network-connected security group, select Classic.

  6. Click OK.
For a new security group without any rules, the following default rules apply to the communication of all the instances in the group over the Internet or intranet:
  • Outbound: Allow
  • Inbound: Forbid

Follow-up operations

After you create a security, you can add security group rules.

You can alsoadd/remove an instance to/from a security group.

Related API

CreateSecurityGroup