This topic describes several typical scenarios in which security groups in VPCs and in classic networks are used.
Overview
You can configure security group rules for ECS instances in security groups to control instance access to the public network or internal networks. For information about how to create security groups and add security group rules, see Create a security group and Add security group rules. Common scenarios for security group rule configuration are listed as follows:
- Scenario 1: Allow instances in the same region under the same account to communicate with each other through an internal network
If you need to copy resources between two ECS instances within the same region that are under the same account, you can add security group rules to allow the instances to communicate with each other through an internal network.
- Scenario 2: Allow instances in the same region but under different accounts to communicate with each other through an internal network
If you need to copy resources between two ECS instances within the same region but under different accounts, you can add security group rules to allow the instances to communicate with each other through an internal network.
- Scenario 3: Allow only specified IP addresses access to your instance
For security purposes, you can modify the port number for remote access to allow only specified IP addresses to connect to your ECS instance.
- Scenario 4: Allow your instance to access only specified public IP addresses
For security purposes, you can add security group rules to allow your instance to access only specified public IP addresses.
- Scenario 5: Disallow your instance from accessing specified public IP addresses
For security purposes, you can add security group rules to disallow your instance from accessing specified public IP addresses.
- Scenario 6: Allow public network access to your instance
You can connect to your ECS instance from the public network.
- Scenario 7: Allow an ECS instance that resides in a security group belonging to another account in the same internal network to connect to your ECS instance
You can connect to your instance from an ECS instance in a security group under another account in the same internal network.
- Scenario 8: Allow public network access to your ECS instance over HTTP or HTTPS
If you host a website on your instance, you can add security group rules to allow your users to access the website through HTTP or HTTPS.
Scenario 1: Allow instances in the same region under the same account to communicate with each other through an internal network
- If the two instances belong to the same security group, they can communicate with each other through an internal network by default.
- If the two instances belong to different security groups, they cannot communicate
with each other through an internal network by default. You can add security group
rules to both security groups to allow their instances to communicate with each other
through an internal network. Security group rule settings vary with network types,
as described in the following table.
Network type NIC type Rule direction Authorization policy Protocol Port range Priority Authorization type Authorization object VPC Not required Inbound Allow Select an applicable protocol. Specify a port range. 1 Security group under the current account The ID of the security group to which the allowed instance belongs. Classic network Internal
For ECS instances in the same VPC, you can add security group rules to allow them to communicate with each other through an internal network. For ECS instances in different VPCs, you can use Cloud Enterprise Network (CEN) to allow them to communicate with each other, regardless of whether the instances belong to the same account or are located within the same region. For more information, see CEN document Step 1: Network planning.
Scenario 2: Allow instances in the same region but under different accounts to communicate with each other through an internal network
This scenario applies only to ECS instances in classic networks.
For example, User A owns the classic network-type instance Instance A in the China (Hangzhou) region. The instance has the internal IP address A.A.A.A and belongs to the security group Group A.
User B owns the classic network-type instance Instance B in the China (Hangzhou) region. This instance has the internal IP address B.B.B.B and belongs to the security group Group B.
To allow Instance A and Instance B to communicate with each other through the internal network, you must add security group rules in both Group A and Group B.
- Add the security group rule described in the following table in Group A.
NIC type Rule direction Authorization policy Protocol Port range Authorization type Authorization object Priority Internal Inbound Allow Select an applicable protocol. Specify a port range. Security group under another account The ID of the security group Group B. The account ID of User B must be entered in Account ID. 1 - Add the security group rule described in the following table to Group B.
NIC type Rule direction Authorization policy Protocol Port range Authorization type Authorization object Priority Internal Inbound Allow Select an applicable protocol. Specify a port range. Security group under another account The ID of security group Group A. The account ID of User A must be entered in Account ID. 1 Note For security purposes, when you add an internal inbound security group rule of the classic network type, we recommend that you set Authorization Type to Security Group. If you set Authorization Type to CIDR Block, you can enter only a single CIDR block, for example,a.b.c.d/32. The CIDR block can be set as needed, but the subnet mask must be /32.
Scenario 3: Allow only specified IP addresses access to your instance
- Linux instance
Network type NIC type Rule direction Authorization policy Protocol Port range Authorization type Authorization object Priority VPC Not required Inbound Allow SSH (22) 22/22 CIDR block The public CIDR block that you allow to connect to your instance. Example: 1.2.3.4/32 or 10.0.0.0/8. 1 Classic network Public - Windows instance
Network type NIC type Rule direction Authorization policy Protocol Port range Authorization type Authorization object Priority VPC Not required Inbound Allow RDP (3389) 3389/3389 CIDR block The public CIDR block that you allow to connect to your instance. Example: 1.2.3.4/32 or 10.0.0.0/8. 1 Classic network Public
Scenario 4: Allow your instance to access only specified public IP addresses
- Add a security group rule to disallow your instance from accessing all public IP addresses
through any protocols, and ensure that the priority of this deny rule is lower than
the priority of the security group rule which allows the instance to access public
IP addresses. In this example, the priority of the deny rule is set to 2. The deny
rule settings are described in the following table.
Network type NIC type Rule direction Authorization policy Protocol Port range Authorization type Authorization object Priority VPC Not required Outbound Deny All -1/-1 CIDR block 0.0.0.0/0 2 Classic network Public - Add a security group rule to allow your instance to access specified public IP addresses,
and ensure that the priority of this allow rule is higher than the priority of the
preceding deny group rule. In this example, the priority of the allow rule is set
to 1.
Network type NIC type Rule direction Authorization policy Protocol Port range Authorization type Authorization object Priority VPC Not required Outbound Allow Select an applicable protocol. Specify a port range. CIDR block The public CIDR block that you allow your instance to access. Example: 1.2.3.4/32 or 10.0.0.0/8. 1 Classic network Public
After adding the security group rules, connect to your instance and run the ping or telnet command to check whether the security group rules have taken effect. If your instance can access only the allowed IP addresses, the security group rules have taken effect.
Scenario 5: Disallow your instance from accessing specified public IP addresses
| Network type | NIC type | Rule direction | Authorization policy | Protocol | Port range | Authorization type | Authorization object | Priority |
|---|---|---|---|---|---|---|---|---|
| VPC | Not required | Outbound | Deny | All | -1/-1 | CIDR block | The public CIDR block that you disallow your instance from accessing. Example: 1.2.3.4/32 or 10.0.0.0/8. | 1 |
| Classic network | Public |
Scenario 6: Allow public network access to your instance
| Network type | NIC type | Rule direction | Authorization policy | Protocol | Port range | Authorization type | Authorization object | Priority |
|---|---|---|---|---|---|---|---|---|
| VPC | Not required | Inbound | Allow | Windows: RDP (3389) | 3389/3389. | CIDR block | To allow all public IP addresses to connect to your instance, enter 0.0.0.0/0. To allow only specified public IP addresses to connect to your instance, follow the instructions in "Scenario 3: Allow only specified IP addresses access to your instance." | 1 |
| Linux: SSH (22) | 22/22. | |||||||
| Custom TCP | Specify a port range, such as 8080/8080. | |||||||
| Classic network | Public | Inbound | Allow | Windows: RDP (3389) | 3389/3389. | CIDR block | To allow all public IP addresses to connect to your instance, enter 0.0.0.0/0. To allow only specified public IP addresses to connect to your instance, follow the instructions in "Scenario 3: Allow only specified IP addresses access to your instance." | 1 |
| Linux: SSH (22) | 22/22. | |||||||
| Custom TCP | Specify a port range, such as 8080/8080. |
For information about how to customize ports for remote access, see Modify the default remote access port.
Scenario 7: Allow an ECS instance that resides in a security group belonging to another account in the same internal network to connect to your ECS instance
- To allow an internal IP address of an ECS instance in a security group under another
account to connect to your instance, add the security group rule described in the
following table. For ECS instances in VPCs, ensure that the instances under the two
accounts can communicate with each other through Cloud Enterprise Network (CEN) before
you add the security group rule. For more information, see
CEN document
Step 1: Network planning.
Network type NIC type Rule direction Authorization policy Protocol Port range Authorization type Authorization object Priority VPC Not required Inbound Allow Windows: RDP (3389) 3389/3389. CIDR block The private IP address of the peer instance. 1 Linux: SSH (22) 22/22. Custom TCP Specify a port range, such as 8080/8080. Classic network Internal Inbound Allow Windows: RDP (3389) 3389/3389. CIDR block An internal IP address of the peer instance. For security purposes, only a single CIDR block can be entered, such as a.b.c.d/32. 1 Linux: SSH (22) 22/22. Custom TCP Specify a port range, such as 8080/8080. - To allow all ECS instances in a security group under another account to connect to
your instance, add the security group rule described in the following table. For ECS
instances in VPCs, ensure that the instances under the two accounts can communicate
with each other through Cloud Enterprise Network (CEN) before you add the security
group rule. For more information, see
CEN document
Step 1: Network planning.
Network type NIC type Rule direction Authorization policy Protocol Port range Authorization type Authorization object Priority VPC Not required Inbound Allow Windows: RDP (3389) 3389/3389. Security group under another account The ID of the security group to which the peer instance belongs. The ID of the peer account must be entered in Account ID. 1 Linux: SSH (22) 22/22. Custom TCP Specify a port range, such as 8080/8080. Classic network Internal Inbound Allow Windows: RDP (3389) 3389/3389. Security group under another account The ID of the security group to which the peer instance belongs. The ID of the peer account must be entered in Account ID. 1 Linux: SSH (22) 22/22. Custom TCP Specify a port range, such as 8080/8080.
Scenario 8: Allow public network access to your ECS instance over HTTP or HTTPS
- To allow all public IP addresses to access your website, add the security group rule
described in the following table.
Network type NIC type Rule direction Authorization policy Protocol Port range Authorization type Authorization object Priority VPC Not required Inbound Allow HTTP (80) 80/80. CIDR block 0.0.0.0/0 1 HTTPS (443) 443/443. Custom TCP Specify a port range, such as 8080/8080. Classic network Public Inbound Allow HTTP (80) 80/80. CIDR block 0.0.0.0/0 1 HTTPS (443) 443/443. Custom TCP Specify a port range, such as 8080/8080. - To allow specified public IP addresses to access your website, add the security group
rule described in the following table.
Network type NIC type Rule direction Authorization policy Protocol Port range Authorization type Authorization object Priority VPC Not required Inbound Allow HTTP (80) 80/80. CIDR block Specify one or more public IP addresses that are allowed to access your website. Example: 1.2.3.4/32 or 10.0.0.0/8. 1 HTTPS (443) 443/443. Custom TCP Specify a port range, such as 8080/8080. Classic network Public Inbound Allow HTTP (80) 80/80. CIDR block Specify one or more public IP addresses that are allowed to access your website. Example: 1.2.3.4/32 or 10.0.0.0/8. 1 HTTPS (443) 443/443. Custom TCP Specify a port range, such as 8080/8080.
- If you cannot access your instance by using
http://public IP address, check whether TCP port 80 is working properly. - Port 80 is the default HTTP port. To use another port (for example, port 8080) for HTTP, you must modify the listening port settings in the configuration file of the Web server.