You can add security group rules to enable or disable access to and from the Internet or intranet for ECS instances in the security group:
VPC: You only need to set inbound and outbound rules. Also, you do not need to create different rules for private networks and Internet. The rules apply to Internet and intranet access at the same time.
Classic network: It is required to set outbound and inbound rules for Internet and intranet respectively.
Changes to the security group rules are automatically applied to ECS instances in the security group.
You have created a security group. For more information, see Create a security group.
You know which Internet or intranet requests need to be allowed or dropped for your instance.
To add a security group rule, follow these steps:
Log on to the ECS console.
In the left-side navigation pane, select Networks & Security > Security Groups.
Select a region.
Find the security group to add authorization rules, and in the Actions column click Configure Rules.
On the Security Group Rules page, click Add Security Group Rules.
Note: If you do not need to enable or disable all ports for all protocols, ICMP, or GRE, you can select Quickly Create Rules.
In the dialog box, set the following parameters:
- For a VPC-Connected security group, you can skip selecting the NIC.
- If your instances can access the Internet, the rules work for both the Internet and intranet.
- If your instances cannot access the Internet, the rules work for intranet only.
- For a classic network-connected security group, you must select Internet or Intranet.
- For a VPC-Connected security group, you can skip selecting the NIC.
- Outbound: ECS instances access other ECS instances over intranet networks, or through Internet resources.
- Inbound: Other ECS instances in the intranet and Internet resources access the ECS instance.
Authorization Policy: Select Allow or Drop.
Note: Drop policies discard the data packet without returning a response. If two security group rules overlap except the authorization policy, the Drop rule takes priority over the Allow rule.
Protocol Type and Port Range: The port range setting is affected by the selected protocol type. The following table shows the relationship between protocol types and port ranges.
Protocol type Port range Scenario All Shown as -1/-1, indicating all ports. You cannot set a port range for this protocol type. Used in scenarios where both the applications are fully and mutually trusted. All ICMP Shown as -1/-1, indicating all ports. You cannot set a port range for the ICMP protocol. Used to detect the instance’s network connection status by using
All GRE Shown as -1/-1, indicating all ports. You cannot set a port range for the GRE protocol. Used for VPN service. Custom TCP For custom port ranges, the valid port value is 1−65535, and the valid port range format is Start Port/End Port. A valid port range format must be used for one port. For example, use 80/80 to indicate port 80. Used to allow or deny one or several successive ports. Custom UDP SSH Shown as 22/22, the default SSH port 22. Used to remotely connect to Linux instances. TELNET Shown as 23/23. Used to remotely log on to instances by using
HTTP Shown as 80/80. The instance is used as a server for a website or a web application. HTTPS Shown as 443/443. The instance is used as a server for a website or a web application that supports the HTTPS protocol. MS SQL Shown as 1433/1433. The instance is used as a MS SQL server. Oracle Shown as 1521/1521. The instance is used as an Oracle SQL server. MySQL Shown as 3306/3306. The instance is used as a MySQL server. RDP Shown as 3389/3389, the default RDP port 3389. Used to remotely connect to Windows instances. PostgreSQL Shown as 5432/5432. The instance is used as a PostgreSQL server. Redis Shown as 6379/6379. The instance is used as a Redis server.
Note: Port 25 is disabled by default, and cannot be available by adding security group rules. To enable Port 25, Apply to open TCP port 25.
Authorization Type and Authorization Object: The authorization object affects setting of authorization type. The following table shows the relationship between them.
Authorization type Authorization object Address Field Access Use the IP or CIDR block format such as 10.0.0.0 or 192.168.0.0/24. Only IPv4 addresses are supported. 0.0.0.0/0 indicates all IP addresses. Security Group Access Only for intranet access. Authorize the instances in a security group under your account or another account to access the instances in this security group.
- Authorize This Account: Select a security group under your account. Both security groups must be in the same VPC.
- Authorize Other Account: Enter the target security group ID and the Account ID. Obtain the account ID in Account Management > Security Settings.
Note: To guarantee the security of your instance, when you are configuring an intranet inbound rule for a classic network-connected security group, Security Group Access is the top priority for Authorization Type. If you want to select Address Field Access, and you want to type an IP address in the CIDR format, type an IP address in the format of
a.b.c.d/32. Only 32 is the valid CIDR prefix.
Priority: 1−100. A smaller number indicates a higher priority. For more information about priority, see Security group rule priority.
In general, security group rules are immediately effective. Delays are observed occasionally.
If you have installed a web service in the instance and added a security group rule in a security group: allow all IP addresses to have inbound access to TCP port 80 of the instance. Follow these steps according to your instance OS to verify the security group rule.
For a Linux instance in the security group, follow these steps to verify the security group rule:
Run the following command to check whether TCP 80 is being listened.
netstat -an | grep 80
If the following result returns, web service for TCP port 80 is enabled.
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
http://public IP addressin the address bar of a browser. If the rule is applied, you can successfully access the website.
For a Windows instance in the security group, follow these steps to verify the security group rule:
Run cmd, and run the following command to check whether TCP 3389 is being listened.
netstat -aon | findstr :80
If the following result returns, TCP port 3389 is enabled.
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 1172
http://Public IP addressin the address bar of a browser. If the rule is applied, you can successfully access the website.
Security group rule priority
The Priority of a security group rule can be a number from 1 to 100. A smaller number indicates a higher priority.
ECS instances can belong to different security groups. As a result, instances may have multiple security group rules that have the same protocol types, port ranges, authorization types, and authorization objects. The rule that takes effect depends on the setting of Priority and Authorization Policy:
If the rules have the same priority, the Drop rule takes effect, and the Allow rule does not.
If the rules have different priorities, the rule with higher priority will be effective first, regardless the setting of Authorization Policy.