This topic describes several typical scenarios in which security groups in VPCs and in classic networks are used.

Overview

You can configure security group rules for ECS instances in security groups to control instance access to the public network or internal networks. For information about how to create security groups and add security group rules, see Create a security group and Add security group rules. Common scenarios for security group rule configuration are listed as follows:

Note For information about commonly used ports, see Typical applications of commonly used ports.

Scenario 1: Allow instances in the same region under the same account to communicate with each other through an internal network

For two instances in the same region and under the same account:
  • If the two instances belong to the same security group, they can communicate with each other through an internal network by default.
  • If the two instances belong to different security groups, they cannot communicate with each other through an internal network by default. You can add security group rules to both security groups to allow their instances to communicate with each other through an internal network. Security group rule settings vary with network types, as described in the following table.
    Network type NIC type Rule direction Authorization policy Protocol Port range Priority Authorization type Authorization object
    VPC Not required Inbound Allow Select an applicable protocol. Specify a port range. 1 Security group under the current account The ID of the security group to which the allowed instance belongs.
    Classic network Internal
Note

For ECS instances in the same VPC, you can add security group rules to allow them to communicate with each other through an internal network. For ECS instances in different VPCs, you can use Cloud Enterprise Network (CEN) to allow them to communicate with each other, regardless of whether the instances belong to the same account or are located within the same region. For more information, see CEN document Step 1: Network planning.

Scenario 2: Allow instances in the same region but under different accounts to communicate with each other through an internal network

This scenario applies only to ECS instances in classic networks.

For example, User A owns the classic network-type instance Instance A in the China (Hangzhou) region. The instance has the internal IP address A.A.A.A and belongs to the security group Group A.

User B owns the classic network-type instance Instance B in the China (Hangzhou) region. This instance has the internal IP address B.B.B.B and belongs to the security group Group B.

To allow Instance A and Instance B to communicate with each other through the internal network, you must add security group rules in both Group A and Group B.

  • Add the security group rule described in the following table in Group A.
    NIC type Rule direction Authorization policy Protocol Port range Authorization type Authorization object Priority
    Internal Inbound Allow Select an applicable protocol. Specify a port range. Security group under another account The ID of the security group Group B. The account ID of User B must be entered in Account ID. 1
  • Add the security group rule described in the following table to Group B.
    NIC type Rule direction Authorization policy Protocol Port range Authorization type Authorization object Priority
    Internal Inbound Allow Select an applicable protocol. Specify a port range. Security group under another account The ID of security group Group A. The account ID of User A must be entered in Account ID. 1
    Note For security purposes, when you add an internal inbound security group rule of the classic network type, we recommend that you set Authorization Type to Security Group. If you set Authorization Type to CIDR Block, you can enter only a single CIDR block, for example, a.b.c.d/32. The CIDR block can be set as needed, but the subnet mask must be /32.

Scenario 3: Allow only specified IP addresses access to your instance

To allow only specific IP addresses to connect to your instance, add the security group rule described in one of the following tables to the security group to which your instance belongs.
  • Linux instance
    Network type NIC type Rule direction Authorization policy Protocol Port range Authorization type Authorization object Priority
    VPC Not required Inbound Allow SSH (22) 22/22 CIDR block The public CIDR block that you allow to connect to your instance. Example: 1.2.3.4/32 or 10.0.0.0/8. 1
    Classic network Public
  • Windows instance
    Network type NIC type Rule direction Authorization policy Protocol Port range Authorization type Authorization object Priority
    VPC Not required Inbound Allow RDP (3389) 3389/3389 CIDR block The public CIDR block that you allow to connect to your instance. Example: 1.2.3.4/32 or 10.0.0.0/8. 1
    Classic network Public

Scenario 4: Allow your instance to access only specified public IP addresses

To allow your instance to access only specific IP addresses, add security group rules to the security group to which your instance belongs as follows:
  • Add a security group rule to disallow your instance from accessing all public IP addresses through any protocols, and ensure that the priority of this deny rule is lower than the priority of the security group rule which allows the instance to access public IP addresses. In this example, the priority of the deny rule is set to 2. The deny rule settings are described in the following table.
    Network type NIC type Rule direction Authorization policy Protocol Port range Authorization type Authorization object Priority
    VPC Not required Outbound Deny All -1/-1 CIDR block 0.0.0.0/0 2
    Classic network Public
  • Add a security group rule to allow your instance to access specified public IP addresses, and ensure that the priority of this allow rule is higher than the priority of the preceding deny group rule. In this example, the priority of the allow rule is set to 1.
    Network type NIC type Rule direction Authorization policy Protocol Port range Authorization type Authorization object Priority
    VPC Not required Outbound Allow Select an applicable protocol. Specify a port range. CIDR block The public CIDR block that you allow your instance to access. Example: 1.2.3.4/32 or 10.0.0.0/8. 1
    Classic network Public

After adding the security group rules, connect to your instance and run the ping or telnet command to check whether the security group rules have taken effect. If your instance can access only the allowed IP addresses, the security group rules have taken effect.

Scenario 5: Disallow your instance from accessing specified public IP addresses

To disallow your instance from accessing specific public IP addresses, add the security group rule described in the following table to the security group to which your instance belongs.
Network type NIC type Rule direction Authorization policy Protocol Port range Authorization type Authorization object Priority
VPC Not required Outbound Deny All -1/-1 CIDR block The public CIDR block that you disallow your instance from accessing. Example: 1.2.3.4/32 or 10.0.0.0/8. 1
Classic network Public

Scenario 6: Allow public network access to your instance

To allow public network access to your instance, add the security group rule described in the following table.
Network type NIC type Rule direction Authorization policy Protocol Port range Authorization type Authorization object Priority
VPC Not required Inbound Allow Windows: RDP (3389) 3389/3389. CIDR block To allow all public IP addresses to connect to your instance, enter 0.0.0.0/0. To allow only specified public IP addresses to connect to your instance, follow the instructions in "Scenario 3: Allow only specified IP addresses access to your instance." 1
Linux: SSH (22) 22/22.
Custom TCP Specify a port range, such as 8080/8080.
Classic network Public Inbound Allow Windows: RDP (3389) 3389/3389. CIDR block To allow all public IP addresses to connect to your instance, enter 0.0.0.0/0. To allow only specified public IP addresses to connect to your instance, follow the instructions in "Scenario 3: Allow only specified IP addresses access to your instance." 1
Linux: SSH (22) 22/22.
Custom TCP Specify a port range, such as 8080/8080.

For information about how to customize ports for remote access, see Modify the default remote access port.

Scenario 7: Allow an ECS instance that resides in a security group belonging to another account in the same internal network to connect to your ECS instance

If your account is in the same region and internal network as another account and you want to allow an ECS instance in a security group of that account to connect to your ECS instance, perform the following steps:
  • To allow an internal IP address of an ECS instance in a security group under another account to connect to your instance, add the security group rule described in the following table. For ECS instances in VPCs, ensure that the instances under the two accounts can communicate with each other through Cloud Enterprise Network (CEN) before you add the security group rule. For more information, see CEN document Step 1: Network planning.
    Network type NIC type Rule direction Authorization policy Protocol Port range Authorization type Authorization object Priority
    VPC Not required Inbound Allow Windows: RDP (3389) 3389/3389. CIDR block The private IP address of the peer instance. 1
    Linux: SSH (22) 22/22.
    Custom TCP Specify a port range, such as 8080/8080.
    Classic network Internal Inbound Allow Windows: RDP (3389) 3389/3389. CIDR block An internal IP address of the peer instance. For security purposes, only a single CIDR block can be entered, such as a.b.c.d/32. 1
    Linux: SSH (22) 22/22.
    Custom TCP Specify a port range, such as 8080/8080.
  • To allow all ECS instances in a security group under another account to connect to your instance, add the security group rule described in the following table. For ECS instances in VPCs, ensure that the instances under the two accounts can communicate with each other through Cloud Enterprise Network (CEN) before you add the security group rule. For more information, see CEN document Step 1: Network planning.
    Network type NIC type Rule direction Authorization policy Protocol Port range Authorization type Authorization object Priority
    VPC Not required Inbound Allow Windows: RDP (3389) 3389/3389. Security group under another account The ID of the security group to which the peer instance belongs. The ID of the peer account must be entered in Account ID. 1
    Linux: SSH (22) 22/22.
    Custom TCP Specify a port range, such as 8080/8080.
    Classic network Internal Inbound Allow Windows: RDP (3389) 3389/3389. Security group under another account The ID of the security group to which the peer instance belongs. The ID of the peer account must be entered in Account ID. 1
    Linux: SSH (22) 22/22.
    Custom TCP Specify a port range, such as 8080/8080.

Scenario 8: Allow public network access to your ECS instance over HTTP or HTTPS

If you host a website on your ECS instance, you can add a security group rule to allow users to access the website over HTTP or HTTPS.
  • To allow all public IP addresses to access your website, add the security group rule described in the following table.
    Network type NIC type Rule direction Authorization policy Protocol Port range Authorization type Authorization object Priority
    VPC Not required Inbound Allow HTTP (80) 80/80. CIDR block 0.0.0.0/0 1
    HTTPS (443) 443/443.
    Custom TCP Specify a port range, such as 8080/8080.
    Classic network Public Inbound Allow HTTP (80) 80/80. CIDR block 0.0.0.0/0 1
    HTTPS (443) 443/443.
    Custom TCP Specify a port range, such as 8080/8080.
  • To allow specified public IP addresses to access your website, add the security group rule described in the following table.
    Network type NIC type Rule direction Authorization policy Protocol Port range Authorization type Authorization object Priority
    VPC Not required Inbound Allow HTTP (80) 80/80. CIDR block Specify one or more public IP addresses that are allowed to access your website. Example: 1.2.3.4/32 or 10.0.0.0/8. 1
    HTTPS (443) 443/443.
    Custom TCP Specify a port range, such as 8080/8080.
    Classic network Public Inbound Allow HTTP (80) 80/80. CIDR block Specify one or more public IP addresses that are allowed to access your website. Example: 1.2.3.4/32 or 10.0.0.0/8. 1
    HTTPS (443) 443/443.
    Custom TCP Specify a port range, such as 8080/8080.
Note
  • If you cannot access your instance by using http://public IP address, check whether TCP port 80 is working properly.
  • Port 80 is the default HTTP port. To use another port (for example, port 8080) for HTTP, you must modify the listening port settings in the configuration file of the Web server.