The rules of a security group control the inbound or outbound traffic to or from the instances within the security group.

Attributes of security group rules

To add or modify a security group rule, you must configure the attributes described in the following table.
Attribute Description
Direction The direction of the rule. The network types of security groups affect rule directions.
  • In a security group of the Virtual Private Cloud (VPC) type, rules are classified as inbound or outbound and each rule controls access to or from both the Internet and internal network.
  • In a security group of the classic network type, rules are classified as public inbound (Internet ingress), public outbound (Internet egress), internal inbound (inbound), or internal outbound (outbound). Public inbound and outbound rules control access to and from the Internet. Internal inbound and outbound rules control access to and from the internal network.
Access requests are matched against inbound and outbound rules based on different attributes.
  • Inbound access requests are matched against inbound rules based on the transport layer protocols, destination port numbers, and source IP addresses. An inbound rule matches an inbound access request when they have the same transport layer protocol, destination port number, and source IP address.
  • Outbound access requests are matched against outbound rules based on the transport layer protocols, destination port numbers, and destination IP addresses. An outbound rule matches an outbound access request when they have the same transport layer protocol, destination port number, and destination IP address.
Note By default, security group rules created in the Elastic Compute Service (ECS) console use 3-tuples. To implement finer-grained access control, you can call API operations to create rules to allow or deny access based on 5-tuples: source IP address, source port number, destination IP address, destination port number, and transport layer protocol. For more information, see Security group quintuple rules.
Action The action of the rule. You can set the action to Allow or Forbid. If two security group rules are different only in the action, the Forbid rule takes effect to deny traffic.
Priority The priority of the rule. The priority can range from 1 to 100. A smaller value indicates a higher priority.
Protocol type The transport layer protocol. TCP, User Datagram Protocol (UDP), Internet Control Messages Protocol version 4 (ICMPv4), ICMP version 6 (ICMPv6), and Generic Routing Encapsulation (GRE) are supported.
Port range The range of destination ports for inbound or outbound traffic. You can specify a single port number or a range of port numbers. For information about the default ports used by typical applications, see Common ports used by applications.
Authorization object The source for inbound traffic or the destination for outbound traffic. You can specify the following objects as authorization objects:
  • A single IP address. Example: 192.168.0.100 or 2408:4321:180:1701:94c7:bc38:3bfa:.
  • A CIDR block. Example: 192.168.0.0/24 or 2408:4321:180:1701:94c7:bc38:3bfa:***/128.
  • Another security group. A rule that includes another security group as the authorization object controls mutual access between the instances within that security group and the instances within the current security group over the internal network. You can specify a different security group within the current or another Alibaba Cloud account.
    Note Security groups can be specified as authorization objects only in rules of basic security groups.
  • The ID of a prefix list. A prefix list is a set of one or more CIDR blocks. If a prefix list is specified as the authorization object in a security group rule, the rule is applied to all the CIDR blocks included in the prefix list. Example: 192.168.0.0/24,172.16.0.0/16.

Procedure to filter access requests based on security group rules

If an instance is assigned to multiple security groups, the rules of all the security groups are applied to the instance. When an access request is detected, the request is matched against applied security group rules one by one. If multiple rules match the request based on their protocols, port ranges, and authorization objects, the request is further matched against the priorities and actions of these rules to determine a single rule to apply. A session is not established until an Allow rule is matched and applied.

You can add or modify rules of a security group. New or modified rules are automatically applied to the instances within the security group.

The following figure shows an example on how the rules of a basic security group control access from an on-premises server to an instance within the security group. inbound
The following figure shows an example on how the rules of a basic security group control access from an instance within the security group to an on-premises server. outbound

Example security group rules

To use a Secure Shell (SSH) key pair to connect to a Linux instance, make sure that the security group of the instance contains a rule to allow inbound SSH access to the required port. The following table describes an example rule that allows inbound SSH access from all IP addresses to port 22 in a security group of the VPC type.
Direction Action Priority Protocol type Port range Authorization object
Inbound Allow 1 Custom TCP Destination: 22/22 Source: 0.0.0.0/0
Note 0.0.0.0/0 indicates all IP addresses. For security purposes, we recommend that you specify specific IP addresses as authorization objects based on the principle of least privilege.
By default, basic security groups allow all outbound access. If you want to use a basic security group as a whitelist, you can add a rule to deny all outbound access. The following table describes an example rule that denies all outbound access to a security group of the VPC type.
Direction Action Priority Protocol type Port range Authorization object
Outbound Forbid 100 All Destination: -1/-1 Destination: 0.0.0.0/0

For information about more example security group rules, see Scenarios for security groups.