edit-icon download-icon

Use security groups to control ECS instances' access to public cloud for a VPC

Last Updated: Nov 21, 2017

A security group is a virtual firewall that is used to control the ECS outbound and inbound traffic. Within the same VPC, ECS instances in the same security group can communicate with one another over the intranet. For more information, see Security.

Security groups auto-created by system

When you create a VPC-type ECS instance, you can use the default security group rules provided by the system, or you can select other security groups already available in the VPC.

Security groupProtocolPort rangeDescription
Default security group ICMP 22 and 3389

Port 22 is for Linux SSH logon. Port 3389 is for Windows remote desktop.

You can also choose to authorize inbound access from HTTP port 80 and HTTPS port 443.

Use cases

Case 1: Provide services over the Internet.

If you set up a website on an ECS instance of a VPC, you can access the public network using an EIP or NAT gateway to provide HTTP or HTTPS services. You can add the security group rules shown in the following table based on the service deployed.

Security group rules Rule direction Authorization policy Protocol type Port range Authorization type Authorization object Priority
Allow inbound access from HTTP port 8080 Inbound Allow TCP 8080/8080 Address segment access 0.0.0.0/0 1
Allow inbound access from HTTP port 80 Inbound Allow HTTP 80/80 Address segment access 0.0.0.0/0 1
Allow inbound access from HTTPS port 433 Inbound Allow TCP 443/443 Address segment access 0.0.0.0/0 1

Case 2: Allow remote access to ECS instances of the VPC.

If you configure a public IP such as a NAT gateway and EIP for ECS instances in the VPC, you can add the security group rules shown in the following table for Windows remote logon or Linux SSH logon as appropriate.

Security group rules Rule direction Authorization policy Protocol type Port range Authorization type Authorization object Priority
Allow Windows remote logon Inbound Allow RDP 3389/3389 Address segment access

Enter 0.0.0.0/0 if logon from any public IP is allowed.

Enter the specific IP address if only remote logon from a specific IP is allowed.

1
Allow Linux SSH logon Inbound Allow RDP 22/22 Address segment access

Enter 0.0.0.0/0 if logon from any public IP is allowed.

Enter the specific IP address if only remote logon from a specific IP is allowed.

1

Relevant information

Thank you! We've received your feedback.