This topic describes how to configure security group rules for common scenarios (such as scenarios where a website deployed on your instance needs to provide external web services or where you want to connect to your instance from an on-premises server) based on security group characteristics in Elastic Compute Service (ECS).

Background information

Take note of the following items about security group rules:
  • In security groups of the Virtual Private Cloud (VPC) type, each rule controls access to or from both the Internet and the internal network. In security groups of the classic network type, public rules (Internet ingress and Internet egress rules) control access to or from the Internet, whereas internal rules (inbound and outbound rules) control access to or from the internal network.
  • All of the example rules described in this topic are configured for the default ports used by typical applications. Applications deployed on instances use ports of the instances to provide external services. For more information, see Common ports used by applications.

Security group rules for websites to provide web services

Security groups that contain no rules deny all inbound access. If a website deployed on your instance needs to provide external web services, add the security group rules described in the following table to allow inbound access to the required ports such as ports 80 (HTTP) and 443 (HTTPS).
Direction Action Priority Protocol type Port range Authorization object
Inbound Allow 1 Custom TCP Destination: 80/80 Source: 0.0.0.0/0
Inbound Allow 1 Custom TCP Destination: 443/443 Source: 0.0.0.0/0
Note If the website still cannot be accessed after the preceding rules are added, troubleshoot the problem. For more information, see Check whether TCP port 80 is available.

Security group rules for connecting to an instance from an on-premises server

Security groups that contain no rules deny all inbound access. Before you can connect to an instance from an on-premises server, you must add security group rules to allow inbound access to the required ports based on your connection method. For example, to connect to a Linux instance by using Secure Shell (SSH), add a rule that allows inbound SSH access to port 22. To connect to a Windows instance by using the Remote Desktop Protocol (RDP), add a rule that allows inbound RDP access to port 3389. The following table describes the example rules.
Direction Action Priority Protocol type Port range Authorization object
Inbound Allow 1 Custom TCP Destination: 22/22 Source: 0.0.0.0/0
Inbound Allow 1 Custom TCP Destination: 3389/3389 Source: 0.0.0.0/0
Note 0.0.0.0/0 indicates all IP addresses. For security purposes, we recommend that you specify specific IP addresses as authorization objects based on the principle of least privilege.

Security group rules for instances within different security groups to communicate with each other

Instances within different security groups that contain no rules are isolated from each other over the internal network. If you want to share data between instances from different security groups within the same VPC (for example, if you want instances within Security Group A to access shared files on instances within Security Group B over FTP), you can add rules to allow mutual access between the security groups over the internal network. This is more convenient than adding rules to allow access to or from individual IP addresses or CIDR blocks.
Note This method does not work for instances that reside within different VPCs. You can use Cloud Enterprise Network (CEN) to connect instances within a VPC to those within another VPC. For more information, see Overview.
If Security Group A and Security Group B belong to the same Alibaba Cloud account, specify the ID of Security Group A as the authorization object when you add a rule to Security Group B to allow inbound access from Security Group A. The following table describes an example rule.
Direction Action Priority Protocol type Port range Authorization object
Inbound Allow 1 Custom TCP Destination: 21/21 Source: sg-bp1hv6wvmegs036****
Note The security group ID provided in the preceding table is for reference only. Replace it with the actual security group ID.
If Security Group A and Security Group B do not belong to the same Alibaba Cloud account, specify the ID of Security Group A and the ID of its associated Alibaba Cloud account as the authorization object when you add a rule to Security Group B to allow inbound access from Security Group A. The following table describes an example rule.
Direction Action Priority Protocol type Port range Authorization object
Inbound Allow 1 Custom TCP Destination: 21/21 Source: 160998252992****/sg-bp174yoe2ib1sqj5****
Note The Alibaba Cloud account ID and the security group ID provided in the preceding table are for reference only. Replace them with the actual IDs.

Security group rules for access to databases

If you have deployed databases on your instance and want other instances to obtain data from the databases over the internal network, add rules to allow inbound access to the required ports based on the database types, such as port 3306 (MySQL), port 1521 (Oracle), port 1433 (MS SQL), port 5432 (PostgreSQL), and port 6379 (Redis). The following table describes the example rules.
Direction Action Priority Protocol type Port range Authorization object
Inbound Allow 1 Custom TCP Destination: 3306/3306 Source: 172.16.XX.XX
Inbound Allow 1 Custom TCP Destination: 1521/1521 Source: 192.168.XX.XX
Inbound Allow 1 Custom TCP Destination: 1433/1433 Source: 192.168.XX.XX/16
Inbound Allow 1 Custom TCP Destination: 5432/5432 Source: sg-bp1hv6wvmegs036****
Inbound Allow 1 Custom TCP Destination: 6379/6379 Source: 160998252992****/sg-bp174yoe2ib1sqj5****
Note The IP addresses, CIDR block, Alibaba Cloud account ID, and security group IDs provided in the preceding table are for reference only. Replace them with actual information.

Security group rules for pinging instances

The Internet Control Message Protocol (ICMP) is used to transmit control messages. You must add rules to allow inbound ICMP access before you can perform specific test operations, such as running the ping command on a client to ping your instance. The following table describes the example rules.
Direction Action Priority Protocol type Port range Authorization object
Inbound Allow 1 All ICMP (IPv4) Destination: -1/-1 Source: 0.0.0.0/0
Inbound Allow 1 All ICMP (IPv6) Destination: -1/-1 Source: ::/0

Security group rules for restricting access from instances to external websites

By default, basic security groups allow all outbound access. To allow instances within a basic security group access only to specific websites, you can use the security group as a whitelist and add a Forbid rule that denies all outbound access and then Allow rules that allow outbound access to the IP addresses of the websites. The following table describes the example rules.
Note If two security group rules are different only in the action, the Forbid rule takes effect. Therefore, the Forbid rule must have a lower priority than the Allow rules.
Direction Action Priority Protocol type Port range Authorization object
Outbound Forbid 2 All Destination: -1/-1 Destination: 0.0.0.0/0
Outbound Allow 1 Custom TCP Destination: 80/80 Destination: 47.96.XX.XX
Outbound Allow 1 Custom TCP Destination: 443/443 Destination: 121.199.XX.XX
Note The IP addresses of the websites provided in the preceding table are for reference only. Replace them with the actual IP addresses of your websites.

After the rules are added, you can log on to your instance to perform tests, such as running the ping command. If your instance can access only the specified IP addresses, the security group rules have taken effect.