Scenarios - User Guide| Alibaba Cloud Documentation Center

This article introduces several common scenarios of VPC-connected and Classic network-connected security groups.

Note For more information about how to create a security group and its rules, see create a security group and add a security group rule.

Scenario 1: Enable intranet communication
Example: If you want to copy files between two Classic network-connected ECS instances owned by different accounts or in different security groups, you can enable intranet communication between both instances by configuring security group rules and then copy files.
Scenario 2: Allow remote connection from specified IP addresses only
Example: When your ECS instance is compromised by hackers as a zombie, you can modify the port for remote connection, and configure security group rules to allow access from specified IP addresses only.
Scenario 3: Allow an instance to access specified IP addresses only
Example: When your ECS instance is compromised by hackers as a zombie and scan or send packets maliciously, you can configure security group rules to allow the instance to access to specified IP addresses.
Scenario 4: Allow remote connection to an ECS instance
Example: You can connect to an ECS instance by configuring a security group rule.
Scenario 5: Allow access to an ECS instance over HTTP or HTTPS service
Example: If you build a website on your instance, you can configure security group rules to enable your users to access the website.

Scenario 1: Enable intranet communication

Security group rules can be used in the following cases to enable intranet communication between ECS instances that belong to different accounts or security groups in the same region:

Case 1: Instances belong to one region and one account.
Case 2: Instances belong to one region but different accounts.

Note For VPC-connected ECS instances,

If they are in one VPC, you can configure their security group rules to enable intranet communication.
If they are in different VPCs, or owned by different accounts in the same region, Express Connect is the only option to establish intranet communication. For more information, see establish an intranet connection between VPCs under different accounts.

Case 1: Instances belong to one region and one account

For two instances in one region but owned by one account, if they are in one security group, intranet communication is enabled by default. If they are in different security groups, you must configure security group rules to enable intranet communication according to the network types.

VPC

If they are in one VPC, add a rule in their security groups respectively to authorize the security groups to access each other. The rule must be as follows.


NIC	Rule Direction	Authorization Policy	Protocol Type	Port Range	Priority	Authorization Type	Authorization Object
N/A	Inbound	Allow	Select the required protocol	Set the required port range	1	Security group access (authorize this account)	Select the Security Group ID on which you want to allow access to the instance

Classic network

Add a rule in their security groups respectively to authorize the security groups to access each other. The rule must be as follows.


NIC	Rule Direction	Authorization Policy	Protocol Type	Port Range	Priority	Authorization Type	Authorization Object
Intranet	Inbound	Allow	Select the required protocol	Set the required port range	1	Security group access (authorize this account)	Select the Security Group ID on which you want to allow access to the instance

Case 2: Instances belong to one region but different accounts

For Classic network-connected ECS instances only.

Authorize the security groups to access each other. For example:

User A owns a Classic network-connected ECS instance in the China East 1 region, named Instance A, with the private IP address A.A.A.A. The security group is Group A.
User B owns a Classic network-connected ECS instance in the China East 1 region, named Instance B, with the private IP address B.B.B.B. The security group is Group B.

Add a rule in Group A to authorize access of Instance A to Instance B, as shown in the following table.


NIC	Rule Direction	Authorization Policy	Protocol Type	Port Range	Authorization Type	Authorization Object	Priority
Intranet	Inbound	Allow	Select the required protocol	Set the required port range	Security group access (authorize other accounts)	Type the account ID of User B and the security group ID of Group B	1

Add a rule in Group B to authorize access of Instance B to Instance A, as shown in the following table.


NIC	Rule Direction	Authorization Policy	Protocol Type	Port Range	Authorization Type	Authorization Object	Priority
Intranet	Inbound	Allow	Select the required protocol	Set the required port range	Security group access (authorize other accounts)	Type the account ID of User A and the security group ID of Group A	1

Note To guarantee the security of your instances, when you are configuring an intranet inbound rule for a Classic network-connected security group, Security Group Access is the top priority for Authorization Type. If you select Address Field Access, you must enter an IP address with CIDR prefix, /32, in the format of a.b.c.d/32. Only IPv4 is supported.

Scenario 2: Allow remote connection from specified IP addresses only

If you want to allow remote connection to your instance from the specified public IP addresses, add the following rule. In this example, we allow remote connection to an instance on TCP Port 22 from a specified IP address.


Network Type	NIC	Rule Direction	Authorization Policy	Protocol Type	Port Range	Authorization Type	Authorization Object	Priority
VPC	N/A	Inbound	Allow	SSH(22)	22/22	Address field access	The IP address to allow access, such as 1.2.3.4.	1
Classic network	Internet	Inbound	Allow	SSH(22)	22/22	Address field access	The IP address to allow access, such as 1.2.3.4.	1

Scenario 3: Allow an instance to access specified IP addresses only

If you want your instance to access specified IP addresses, add the following rules in its security group.

Add the following rule to drop any access to all public IP addresses. The priority must be lower than the rule in step 2.


Network Type	NIC	Rule Direction	Authorization Policy	Protocol Type	Port Range	Authorization Type	Authorization Object	Priority
VPC	N/A	Inbound	Drop	All	-1/-1	Address field access	0.0.0.0/0	2
Classic network	Internet	Inbound	Drop	All	-1/-1	Address field access	0.0.0.0/0	2

Add the following rule to allow access to the specified IP address, with a higher priority than that in step 1.


Network Type	NIC	Rule Direction	Authorization Policy	Protocol Type	Port Range	Authorization Type	Authorization Object	Priority
VPC	N/A	Outbound	Allow	Select the required protocol	Set the required port range	Address field access	Type the specified IP address, such as 1.2.3.4	1
Classic network	Internet	Outbound	Allow	Select the required protocol	Set the required port range	Address field access	Type the specified IP address, such as 1.2.3.4	1

After you add the rules, connect to the instance and try to ping or telnet the instance from the specified IP address and other IP addresses. If the instance can be accessed by the specified IP address, it means the rules work.

Scenario 4: Allow remote connection to an ECS instance

You may want to connect to your instance in the following cases:

Case 1: Allow remote connection to your instance from the Internet.
Case 2: Allow remote connection to your instance from intranet.

Case 1: Allow remote connection to your instance from the Internet

To allow remote connection to your instance from the Internet, add the following rule according to the network type and the operating system of your instance.

VPC


NIC	Rule Direction	Authorization Policy	Protocol Type	Port Range	Authorization Type	Authorization Object	Priority
N/A	Inbound	Allow	Windows: RDP(3389)	3389/3389	Address field access	To allow Internet access from any public IP address, type 0.0.0.0/0. To allow Internet access from a specified Internet IP address, see Scenario 2.	1
			Linux: SSH (22)	22/22
			Custom TCP	Customized

Classic network


NIC	Rule Direction	Authorization Policy	Protocol Type	Port Range	Authorization Type	Authorization Object	Priority
Internet	Inbound	Allow	Windows: RDP(3389)	3389/3389	Address field access	To allow Internet access from any public IP address, type 0.0.0.0/0. To allow Internet access from a specified Internet IP address, see Scenario 2.	1
			Linux: SSH(22)	22/22
			Custom TCP	Customized

To customize the port for remote connection, see modify the default remote access port.

Case 2: Allow remote connection to your instance from intranet

If you have enabled intranet communication between instances that belong to one region but different accounts, and you want to allow the instances in different security groups to connect to each other, add the following rules as needed.

To allow a private IP address to connect to an instance.

VPC

Make sure that intranet communication has been built between both accounts by using Express Connect, and then add any one of the following rule.


NIC	Rule Direction	Authorization Policy	Protocol Type	Port Range	Authorization Type	Authorization Object	Priority
N/A	Inbound	Allow	Windows: RDP(3389)	3389/3389	Address field access	Specify the private IP address of the peer instance	1
			Linux: SSH (22)	22/22
			Custom TCP	Customized

Classic network

Add any one of the following rules.


NIC	Rule direction	Authorization Policy	Protocol Type	Port Range	Authorization Type	Authorization Object	Priority
Intranet	Inbound	Allow	Windows: RDP (3389)	3389/3389	Address field access	Specify the private IP address of the peer instance. To secure the instance, only an IP address with CIDR prefix, `/32`, in the format of a.b.c.d/32, is allowed.	1
			Linux: SSH (22)	22/22
			Custom TCP	Customized

To allow all the instances in a security group of one account to connect to your instance:

VPC

Make sure that intranet communication is built between both accounts by using Express Connect, and then add any one of the following rules.


NIC	Rule Direction	Authorization Policy	Protocol Type	Port Range	Authorization Type	Authorization Object	Priority
N/A	Inbound	Allow	Windows: RDP (3389)	3389/3389	Security group access (authorize other accounts)	Type the account ID of the peer and the security group ID	1
			Linux: SSH(22)	22/22
			Custom TCP	Customized

Classic network

Add any one of the following rules.


NIC	Rule Direction	Authorization Policy	Protocol Type	Port Range	Authorization Type	Authorization Object	Priority
Intranet	Inbound	Allow	Windows: RDP (3389)	3389/3389	Security group access (authorize other account)	Type the account ID of the peer and the security group ID	1
			Linux: SSH(22)	22/22
			Custom TCP	Customized

Scenario 5: Allow access to an ECS instance over HTTP or HTTPS service

If you have built a website on your instance and expect your users to visit the site over HTTP or HTTPS service, add any one of the following rules.

VPC

To allow all public IP addresses to access your site, add any one of the following rules.


NIC	Rule Direction	Authorization Policy	Protocol Type	Port Range	Authorization Type	Authorization Object	Priority
N/A	Inbound	Allow	HTTP(80)	80/80	Address field access	0.0.0.0/0	1
			HTTPS(443)	443/443
			Custom TCP	Customized, such as 8080/8080

Classic network

To allow all public IP addresses to access your site, add any one of the following rules.


NIC	Rule Direction	Authorization Policy	Protocol Type	Port Range	Authorization Type	Authorization Object	Priority
Internet	Inbound	Allow	HTTP(80)	80/80	Address field access	0.0.0.0/0	1
			HTTPS (443)	443/443
			Custom TCP	Customized, such as 8080/8080

Note

If your users cannot access your instance by using http://Public IP address, verify if TCP port 80 works properly.
TCP Port 80 is the default port for HTTP service. If you want to use other ports, modify the port in the configuration file of the Web server.