This topic describes how to configure security group rules for common scenarios (such as scenarios where a website deployed on your instance needs to provide external web services or where you want to connect to your instance from an on-premises server) based on security group characteristics in Elastic Compute Service (ECS).
Background information
Take note of the following items about security group rules:
- In security groups of the Virtual Private Cloud (VPC) type, each rule controls access to or from both the Internet and the internal network. In security groups of the classic network type, public rules (Internet ingress and Internet egress rules) control access to or from the Internet, whereas internal rules (inbound and outbound rules) control access to or from the internal network.
- All of the example rules described in this topic are configured for the default ports used by typical applications. Applications deployed on instances use ports of the instances to provide external services. For more information, see Common ports used by applications.
Security group rules for websites to provide web services
Security groups that contain no rules deny all inbound access. If a website deployed
on your instance needs to provide external web services, add the security group rules
described in the following table to allow inbound access to the required ports such
as ports 80 (HTTP) and 443 (HTTPS).
| Direction | Action | Priority | Protocol type | Port range | Authorization object |
|---|---|---|---|---|---|
| Inbound | Allow | 1 | Custom TCP | Destination: 80/80 | Source: 0.0.0.0/0 |
| Inbound | Allow | 1 | Custom TCP | Destination: 443/443 | Source: 0.0.0.0/0 |
Note If the website still cannot be accessed after the preceding rules are added, troubleshoot
the problem. For more information, see Check whether TCP port 80 is available.
Security group rules for connecting to an instance from an on-premises server
Security groups that contain no rules deny all inbound access. Before you can connect
to an instance from an on-premises server, you must add security group rules to allow
inbound access to the required ports based on your connection method. For example,
to connect to a Linux instance by using Secure Shell (SSH), add a rule that allows
inbound SSH access to port 22. To connect to a Windows instance by using the Remote
Desktop Protocol (RDP), add a rule that allows inbound RDP access to port 3389. The
following table describes the example rules.
| Direction | Action | Priority | Protocol type | Port range | Authorization object |
|---|---|---|---|---|---|
| Inbound | Allow | 1 | Custom TCP | Destination: 22/22 | Source: 0.0.0.0/0 |
| Inbound | Allow | 1 | Custom TCP | Destination: 3389/3389 | Source: 0.0.0.0/0 |
Note
0.0.0.0/0 indicates all IP addresses. For security purposes, we recommend that you specify
specific IP addresses as authorization objects based on the principle of least privilege.
Security group rules for instances within different security groups to communicate with each other
Instances within different security groups that contain no rules are isolated from
each other over the internal network. If you want to share data between instances
from different security groups within the same VPC (for example, if you want instances
within Security Group A to access shared files on instances within Security Group
B over FTP), you can add rules to allow mutual access between the security groups
over the internal network. This is more convenient than adding rules to allow access
to or from individual IP addresses or CIDR blocks.
Note This method does not work for instances that reside within different VPCs. You can
use Cloud Enterprise Network (CEN) to connect instances within a VPC to those within
another VPC. For more information, see Overview.
If Security Group A and Security Group B belong to the same Alibaba Cloud account,
specify the ID of Security Group A as the authorization object when you add a rule
to Security Group B to allow inbound access from Security Group A. The following table
describes an example rule.
| Direction | Action | Priority | Protocol type | Port range | Authorization object |
|---|---|---|---|---|---|
| Inbound | Allow | 1 | Custom TCP | Destination: 21/21 | Source: sg-bp1hv6wvmegs036**** |
Note The security group ID provided in the preceding table is for reference only. Replace
it with the actual security group ID.
If Security Group A and Security Group B do not belong to the same Alibaba Cloud account,
specify the ID of Security Group A and the ID of its associated Alibaba Cloud account
as the authorization object when you add a rule to Security Group B to allow inbound
access from Security Group A. The following table describes an example rule.
| Direction | Action | Priority | Protocol type | Port range | Authorization object |
|---|---|---|---|---|---|
| Inbound | Allow | 1 | Custom TCP | Destination: 21/21 | Source: 160998252992****/sg-bp174yoe2ib1sqj5**** |
Note The Alibaba Cloud account ID and the security group ID provided in the preceding table
are for reference only. Replace them with the actual IDs.
Security group rules for access to databases
If you have deployed databases on your instance and want other instances to obtain
data from the databases over the internal network, add rules to allow inbound access
to the required ports based on the database types, such as port 3306 (MySQL), port
1521 (Oracle), port 1433 (MS SQL), port 5432 (PostgreSQL), and port 6379 (Redis).
The following table describes the example rules.
| Direction | Action | Priority | Protocol type | Port range | Authorization object |
|---|---|---|---|---|---|
| Inbound | Allow | 1 | Custom TCP | Destination: 3306/3306 | Source: 172.16.XX.XX |
| Inbound | Allow | 1 | Custom TCP | Destination: 1521/1521 | Source: 192.168.XX.XX |
| Inbound | Allow | 1 | Custom TCP | Destination: 1433/1433 | Source: 192.168.XX.XX/16 |
| Inbound | Allow | 1 | Custom TCP | Destination: 5432/5432 | Source: sg-bp1hv6wvmegs036**** |
| Inbound | Allow | 1 | Custom TCP | Destination: 6379/6379 | Source: 160998252992****/sg-bp174yoe2ib1sqj5**** |
Note The IP addresses, CIDR block, Alibaba Cloud account ID, and security group IDs provided
in the preceding table are for reference only. Replace them with actual information.
Security group rules for pinging instances
The Internet Control Message Protocol (ICMP) is used to transmit control messages.
You must add rules to allow inbound ICMP access before you can perform specific test
operations, such as running the ping command on a client to ping your instance. The
following table describes the example rules.
| Direction | Action | Priority | Protocol type | Port range | Authorization object |
|---|---|---|---|---|---|
| Inbound | Allow | 1 | All ICMP (IPv4) | Destination: -1/-1 | Source: 0.0.0.0/0 |
| Inbound | Allow | 1 | All ICMP (IPv6) | Destination: -1/-1 | Source: ::/0 |
Security group rules for restricting access from instances to external websites
By default, basic security groups allow all outbound access. To allow instances within
a basic security group access only to specific websites, you can use the security
group as a whitelist and add a Forbid rule that denies all outbound access and then
Allow rules that allow outbound access to the IP addresses of the websites. The following
table describes the example rules.
Note If two security group rules are different only in the action, the Forbid rule takes
effect. Therefore, the Forbid rule must have a lower priority than the Allow rules.
| Direction | Action | Priority | Protocol type | Port range | Authorization object |
|---|---|---|---|---|---|
| Outbound | Forbid | 2 | All | Destination: -1/-1 | Destination: 0.0.0.0/0 |
| Outbound | Allow | 1 | Custom TCP | Destination: 80/80 | Destination: 47.96.XX.XX |
| Outbound | Allow | 1 | Custom TCP | Destination: 443/443 | Destination: 121.199.XX.XX |
Note The IP addresses of the websites provided in the preceding table are for reference
only. Replace them with the actual IP addresses of your websites.
After the rules are added, you can log on to your instance to perform tests, such as running the ping command. If your instance can access only the specified IP addresses, the security group rules have taken effect.