This topic describes how to use prefix lists to simplify management of security group rules.

Background information

A prefix list is a set of one or more network prefixes (CIDR blocks). You can reference prefix lists to configure security group rules. When entries in a prefix list are modified, all security group rules that reference this prefix list are also updated. You can put frequently-used IP addresses in a prefix list and reference the prefix list in security group rules instead of referencing the IP addresses individually. This way, you can consolidate security group rules that share the same attributes except for the authorization object into a single rule that uses a prefix list as the authorization object, and reduce the burdens of managing security group rules. For more information about prefix lists, see Overview.

Use scenarios

Assume that you have planned multiple security domains for your resources in the cloud to ensure resource security. Each security domain corresponds to a security group. A public resource such as an office network off the cloud requires access to your resources in multiple security domains. This public resource has multiple variable CIDR blocks.

If you do not use the prefix list feature, you must configure multiple rules that reference the CIDR blocks of the public resource as authorization objects in multiple security groups to allow access from the public resource. The configured security group rules must share the same attributes except for the authorization object. If the CIDR blocks of the public resource change, you must modify the corresponding rules of security groups in multiple security domains. The greater the number of security groups and CIDR blocks, the more difficult to manage the security group rules.

If you use the prefix list feature, you can create a prefix list from the CIDR blocks of the public resource and configure a rule that references the prefix list as the authorization object in multiple security groups to allow access from the public resource. If the CIDR blocks of the public resource change, you need only to modify the corresponding entries in the prefix list, and the associated security group rules are also updated. This eliminates the need to modify the security group rules one by one and simplifies management of security group rules.

If you have resources in multiple Alibaba Cloud regions, you can use the clone feature to clone prefix lists across regions.

Procedure

This section describes how to add or modify security group rules by using a prefix list to deny or allow access from specific IP addresses. In the examples, two IP addresses are used.
Note If you are using a RAM user, grant permissions on prefix lists to the user. For more information, see Grant RAM users permissions on prefix lists.
  1. Log on to the ECS console.
  2. Create a prefix list.
    1. In the left-side navigation pane, choose Network & Security > Prefix List.
    2. In the top navigation bar, select a region.
    3. Click Create Prefix List.
    4. In the Create Prefix List dialog box, configure parameters and click Create.
      In this example, two IPv4 entries are added. Examples values of parameters in the Create Prefix List dialog box:
      • Name: RemoteLogon
      • Description: Allow access from the CIDR blocks in the prefix list to Elastic Compute Service (ECS) instances in a security group.
      • Address Family: IPv4
      • Max Entries: 2
        Note The rule quotas of resources (such as security groups) that are associated with a prefix list are calculated based on the maximum number of entries in the prefix list, instead of the actual number of entries. Set a proper value for Max Entries.
      • Entries: Click Add Entries and enter 192.168.1.0/24 for an entry. Click Add Entries again and enter 192.168.2.0/24 for another entry.
        Each of preceding CIDR blocks is a set of consecutive IP addresses.
        • 192.168.1.0/24: 192.168.1.0 to 192.168.1.255.
        • 192.168.2.0/24: 192.168.2.0 to 192.168.2.255.
  3. Add security group rules that reference the prefix list.
    Repeat the following steps to add a rule that references the RemoteLogon prefix list to allow access to remote connection ports in multiple security groups:
    1. In the left-side navigation pane, choose Network & Security > Security Groups.
    2. Find the security group to which you want to add a rule and click Add Rules in the Actions column.
    3. On the Inbound tab, click Add Rule.
      Note In this example, a security group of the Virtual Private Cloud (VPC) type is used. For a security group of the classic network type, select a tab based on whether the CIDR blocks are public ones.
    4. Configure parameters to add a rule and click Save.
      In this example, a rule is added to allow SSH access and Remote Desktop Protocol (RDP) access to the ECS instances in the security group. Example values of parameters in the rule entry:
      • Action: Allow
      • Priority: 1
      • Protocol Type: Custom TCP
      • Port Range: SSH (22) and RDP (3389)
      • Authorization Object: the RemoteLogon prefix list
      After the rule is added, the CIDR blocks contained in the RemoteLogon prefix list are allowed to connect to the instances within the security group.
  4. Modify the entries in the prefix list.
    After the rules are added to security groups, if you want to deny access from specific IP addresses contained in the RemoteLogon prefix list, modify the corresponding entries in the prefix list, instead of modifying the security group rules one by one. For example, assume that you use the instances whose private IP addresses are 192.168.1.1 and 192.168.2.1 as jump servers and you want to allow access to the security groups only from the jump servers. Perform the following steps to modify the entries in the prefix list:
    1. In the left-side navigation pane, choose Network & Security > Prefix List.
    2. Find the RemoteLogon prefix list and click View Details in the Actions column.
    3. Click the Entries tab.
    4. Click Modify in the Actions column corresponding to one entry.
    5. Change the CIDR block and click Save.
      Repeat the preceding steps to modify the other entry. The CIDR block in one entry is changed to 192.168.1.1/32, and the CIDR block in the other entry is changed to 192.168.2.1/32.
      After the entries are modified, the modifications immediately take effect. The security group rules that use the RemoteLogon prefix list are updated to allow access only from 192.168.1.1/32 and 192.168.2.1/32.

More use scenarios

This section compares the numbers of operations required for security group rules that reference individual IP addresses and for security group rules that reference prefix lists to show the advantages of prefix lists in improving efficiency. Assume that you have 50 security groups. The following table describes the numbers of operations required in different scenarios when a prefix list is used and when a prefix list is not used.
Scenario Security group rule that references an individual IP address Security group rule that references a prefix list
Deny access from five IP addresses If you remove five allow rules that reference five IP addresses one by one from each of the 50 security groups, 250 remove operations are required. Event if you batch remove the five allow rules from each security group, 50 remove operations are still required. If you remove five entries that contain five IP addresses one by one from the prefix list, five remove operations are required. If you batch remove the five entries from the prefix list, only a single remove operation is required.
Modify rules or entries to allow access from five IP addresses If you modify five rules in each of the 50 security groups to allow access from five IP addresses, 250 modify operations are required. If you modify five entries to include five IP addresses in the prefix list, five modify operations are required.
Add rules or entries to allow access from five IP addresses If you add five rules in each of the 50 security groups to allow access from five IP addresses. In this case, 250 add operations are required. Event if you add a single rule that references five IP addresses to each security group, and 50 add operations are still required. If you add five entries that include five IP addresses to the prefix list, five add operations are required. If you add a single entry that includes the five IP addresses to the prefix list, only a single add operation is required.
Modify rules or entries to allow access from five IP addresses, and add rules or entries to access from another five IP addresses If you modify five rules in each of the 50 security groups to allow access from five IP addresses and then add five rules to each security group to allow access from another five IP addresses, a total of 500 operations are required. Even if you modify five rules that reference five IP addresses and add a single rule that references another five IP addresses in each security group, a total of 300 operations are still required. If you modify five entries to include five IP addresses and add five entries to include the other five IP addresses in the prefix list, a total of 10 operations are required. If you modify five entries and add a single entry that includes another five IP addresses in the prefix list, a total of six operations are required.