edit-icon download-icon

Access control

Last Updated: Oct 30, 2017

Currently, the Virtual Private Cloud (VPC) in Alibaba Cloud does not comes with a dedicated resource access management policy. Resource access management in the VPC relies on the access control capabilities of each cloud product. For example, resource access management for ECS is implemented using security groups, and that for SLB and RDS is implemented using whitelists.

ECS security group

A security group is a virtual firewall that provides the stateful packet inspection feature. Security groups are used to set network access control for one or more ECSs. An important means of security isolation, security groups are used to divide security domains on the cloud.

You can use the default security group rules provided by the system to a VPC-type ECS instance. You can change the rules in the default security group but you cannot delete the default security group.

  • Default security group 1: All outbound access is allowed. Inbound access is allowed from all ICMP ports and TCP ports 22, 3389, 80, and 443.

    When you create an ECS instance using a non-default VPC and VSwitch, you can select this default security group rule.

  • Default security group 2: All outbound access is allowed. Inbound access is allowed from all ICMP ports and TCP ports 22 and 3389.

    When you create an ECS instance using a default VPC and VSwitch, you can select this default security group rule.

For more security group configurations, see Security groups.

RDS whitelist

Using the whitelist feature of ApsaraDB for RDS, you can customize IP addresses that are allowed to access the RDS. All access from unspecified IP addresses are denied. When you use the RDS products in a VPC, add the IP address of the ECS to the whitelist for the required RDS so that the ECS can visit the RDS instance.

For more configuration on ApsaraDB for RDS whitelist, see Set whitelist.

SLB whitelist

You can configure the Server Load Balancer (SLB) listener to be only accessible by certain IP address. This configuration applies to scenarios where the application only allows access from certain IP addresses.

SLB is a traffic distribution control service that distributes access traffic to multiple backend ECSs based on forwarding policies. Access is usually available to Internet or intranet users. When the service is available only to specified users, or when only intranet access is available, the whitelist feature can perform effective resource access management on the service. To configure the whitelist, add the user’s IP addresses or the cloud service IP addresses inside the VPC to be accessed over SLB to the access management whitelist of SLB.

For more SLB whitelist configurations, see Set whitelist access control.

Thank you! We've received your feedback.