This topic describes how to add security group rules. You can use security group rules to allow or deny access to or from the Internet or internal network for ECS instances in a security group.

Prerequisites

Before you add security group rules, make sure that the following requirements are met:
  • A security group is created. For more information, see Create a security group.
  • A list of the Internet or internal networks to which you want to allow or deny access to your instances is obtained. For information about scenarios of adding security group rules, see Scenarios for security groups.

Background information

Security groups control access to or from the Internet or internal networks. For security reasons, most security groups use Forbid rules for inbound traffic. If you use the default security group, security group rules are automatically added for some communication ports.

In this topic, security group rules are applied to the following scenarios:
  • When an application needs to communicate with a network outside the security group but the access request stays in the wait state, you must add an Allow rule first.
  • When you detect attacks from some request sources during the application operation, add Forbid rules to isolate those malicious request sources.
Before you add security group rules, take note of the following points:
  • Before you add rules to a basic security group, all outbound traffic is allowed and all inbound traffic is denied.
  • Before you add rules to an advanced security group, all outbound and inbound traffic is denied. For advanced security groups, you cannot specify the Priority parameter, set Authorization Type to Security Group, or set Action to Forbid in security group rules.
  • The total number of inbound and outbound rules in each security group cannot exceed 200.

For more information, see Overview.

Procedure

  1. Log on to the ECS console.
  2. In the left-side navigation pane, choose Network & Security > Security Groups.
  3. In the top navigation bar, select a region.
  4. Find the security group to which you want to add rules. Click Add Rules in the Actions column.
  5. On the Security Group Rules page, use one of the following methods to add rules:
    • Method 1. Quickly create security group rules

      This method is applicable when ICMP and GRE are not required and you can select multiple ports. In the Quick Rule Creation dialog box, the following application ports are provided: SSH 22, Telnet 23, HTTP 80, HTTPS 443, MS SQL 1433, Oracle 1521, MySQL 3306, RDP 3389, PostgreSQL 5432, and Redis 6379. You can select one or more ports.

      Click Quick Rule Creation. In the Quick Rule Creation dialog box, configure parameters such as NIC Type, Rule Direction, and Custom Port Range. For more information about how to configure parameters for a security group rule, see Method 2: Manually add security group rules.

    • Method 2. Manually add security group rules
      1. Click Add Security Group Rule.
      2. Add a security group rule in the rule list.
        Table 1. Security group rule parameters
        Parameter Description
        NIC Type The NIC Type parameter is required only for security group rules of the classic network.
        • Internal: sets an internal security group rule of the classic network.
        • Public: sets an Internet security group rule of the classic network.
        Rule Direction The direction in which the security group rules are applied.
        • Outbound: Select this value if your ECS instances need to access other ECS instances in an internal network or resources in the Internet.
        • Inbound: Select this value if other ECS instances in an internal network or resources in the Internet need to access your ECS instances.
        Action
        • Allow: allows access requests on the specified port.
        • Forbid: discards data packets and returns no messages. If two security group rules differ only in their actions, the Forbid rule is used while the Allow rule is ignored.
        Note Only Allow rules can be created for advanced security groups.
        Protocol Type The protocol type of the security group rule.

        For information about the relationship between Protocol Type and Port Range, see Table 2. For more information about common ports, see Common ports used by applications.

        Port Range The port range depends on the protocol type. You can set a custom port range when Protocol Type is set to Custom TCP or Customized UDP. Enter the port range manually. Example: 22/23,443/443.
        Priority A smaller value indicates a higher priority. Valid values: 1 to 100.
        Note The priority value of each rule in advanced security groups is fixed to 1. You cannot set priority values for rules in advanced security groups.
        Authorization Type Valid values: IPv4 CIDR Block and Security Group.
        Note For advanced security group rules, you cannot set Authorization Type to Security Group.
        Authorization Object Supported authorization objects include:
        • IPv4 CIDR block
          • Enter an IPv4 address or an IPv4 CIDR block. Example: 12.1.1.1 or 13.1.1.1/25.

            For more information about the CIDR format, see Network FAQ.

          • You can enter up to 10 authorization objects at a time. Separate multiple objects with commas (,).
          • If you enter 0.0.0.0/0 as an authorization object, all IPv4 addresses are allowed or denied based on the Action parameter. Evaluate the network risks before you specify 0.0.0.0/0.
        • Security group
          Note For advanced security group rules, you cannot set Authorization Type to Security Group.

          This authorization type is valid only for internal networks. Authorize the instances in a security group in your or another account to access the instances in the current security group. For Internet access, you must specify IPv4 or IPv6 CIDR blocks.

          • Authorize current account: Select the ID of another security group in your account. If the current security group is of the VPC type, the security group to be authorized must be in the same VPC as the current security group.
          • Authorize another account: Enter a security group ID and the ID of another account to which the security group belongs. Choose Account Management > Security Settings in the Account Center to view your account ID.
        Note For security reasons, we recommend that you set Authorization Object to Security Group when you add an internal inbound rule to a security group of the classic network type. If you set Authorization Object to CIDR blocks, you can specify only single IP addresses in CIDR notation in the a.b.c.d/32 format. Only IPv4 is supported, and the subnet mask must be /32.
        Description The description of the security group rule.
        Table 2. Relationship between protocol types and port ranges
        Protocol Type Port Range Scenario
        All -1/-1 is displayed, indicating all ports. You cannot set a port range for this protocol type. It can be used in all trusted scenarios.
        All ICMP (IPv4) -1/-1 is displayed, indicating all ports. You cannot set a port range for this protocol type. It can be used when you run the ping command to check the status of network connections between ECS instances.
        All GRE -1/-1 is displayed, indicating all ports. You cannot set a port range for this protocol type. It can be used for VPN.
        Custom TCP Customize a port range. Valid values: 1 to 65535.

        You must use the <start port>/<end port> format. For example, 80/80 indicates port 80, and 1/22 indicates port 1 to port 22.

        It can be used to allow or deny traffic on one or more successive ports.
        Custom UDP
        SSH 22/22 It can be used to connect to a Linux instance. After you connect to the instance, you can modify the port number. For more information, see Modify the default remote port of an instance.
        TELNET 23/23 It can be used to connect to an instance.
        HTTP 80/80 It can be used when an instance serves as a website or web application server.
        HTTPS 443/443 It can be used when an instance serves as a website or web application server that supports HTTPS.
        MS SQL 1433/1433 It can be used when an instance serves as an MS SQL server.
        Oracle 1521/1521 It can be used when an instance serves as an Oracle SQL server.
        MySQL 3306/3306 It can be used when an instance serves as a MySQL server.
        RDP 3389/3389 It can be used to connect to a Windows instance. After you connect to the instance, you can modify the port number. For more information, see Modify the default remote port of an instance.
        PostgreSQL 5432/5432 It can be used when an instance serves as a PostgreSQL server.
        Redis 6379/6379 It can be used when an instance serves as a Redis server.
        Note The default SMTP port for outbound Internet traffic is port 25, which is disabled by default. It cannot be enabled by security group rules. To use SMTP port 25, take preventive measures to minimize security risks and then apply to enable the port. For more information,see Apply to enable TCP port 25.
      3. Click OK.

Result

After the security group rule is added, you can view it in the security group rule list. Changes to a security group rule are automatically applied to the ECS instances in the security group. We recommend that you immediately check whether the changes take effect.

What to do next

An ECS instance must belong to at least one security group. You can add an instance to one or more security groups. For more information, see Add an ECS instances to a security group.