What is a security group?

A security group is a virtual firewall that implements access control for one or more ECS instances. Security groups logically isolate security domains in the cloud.

Each ECS instance must belong to at least one security group. When you create an ECS instance, you must specify a security group for it. Security groups are classified into basic and advanced security groups. For more information, see Overview.

Why do I need to select a security group when I create an ECS instance?

When you create ECS instances, you must select security groups to divide your application environment into security domains and configure security group rules to implement proper network isolation.

If you create an ECS instance within a region in which you have not created any security groups, the instance is assigned to the default security group. We recommend that you create a security group and then move the instance from the default security group to the security group you created.

What can I do if I create an ECS instance before I create a security group?

If you have not created any security groups before you create an ECS instance, you can select the default security group. The default security group allows traffic on common ports such as TCP port 22 and port 3389.

When I attempt to add an instance to a security group, I am prompted that the maximum number of rules has been reached. Why?

You can use the following formula to calculate the maximum number of security group rules that can be associated with an ECS instance (primary ENI): Maximum number of security groups to which the instance can be added × Maximum number of rules in each security group.

If you are prompted with the message Failed to join the security group. The number of security group rules that have acted on the instance has reached the upper limit, the maximum number of security group rules applied to the instance has been reached. We recommend that you select another security group.

If I adjust the maximum number of security groups to which a VPC-type ECS instance can be added, does this adjustment take effect only on the security groups created after the number is adjusted?

No, the adjustment takes effect on all security groups of the VPC-type ECS instance regardless of when the security groups are created.

In what scenarios are the default security group rules used?

The default security group rules are used in the following scenarios:

  • If you have not created a security group when you create an ECS instance in a region for the first time in the ECS console, you can select the default security group created by the system. The default security group is a basic security group. The default security group uses the default security rules. The default security rules are inbound rules that have a priority of 100 and grant access to all CIDR blocks (0.0.0.0/0). These rules allow inbound ICMP traffic on all ports and inbound TCP traffic on SSH port 22 and RDP port 3389. You can also choose to allow inbound traffic over HTTP port 80 and HTTPS port 443. All outbound traffic is allowed.
  • When you create a security group in the ECS console, the system creates default security group rules in the security group. These rules are inbound rules that grant access to all CIDR blocks (0.0.0.0/0). These rules allow inbound ICMP traffic on all ports, and inbound TCP traffic on SSH port 22, RDP port 3389, HTTP port 80, and HTTPS port 443.

In what scenarios do I need to add security group rules?

In the following scenarios, you must add security group rules to ensure that your ECS instance can be accessed:

  • The security group to which your ECS instance belongs does not have any custom or default security group rules added. Your ECS instance needs to access the Internet or another ECS instance in a different security group within the same region.
  • The application deployed on your ECS instance uses a specified port or port range instead of the default port. In this case, you must allow the specified port or port range before you can check whether the application is connected. For example, assume that you have deployed an NGINX service and need to set TCP port 8000 as the listening port but only port 80 is allowed in your security group. In this case, you must add a security rule to ensure that the NGINX service is accessible.
  • For other scenarios, see Scenarios for security groups.

Why am I unable to access TCP port 25?

TCP port 25 is the default email service port. For security reasons, TCP port 25 is disabled for ECS instances by default. We recommend that you use port 465 to send emails. For more application scenarios, see Scenarios.

Why am I unable to access TCP port 80?

If you are unable to access TCP port 80, solve the problem by following the instructions in Check whether TCP port 80 is working properly.

Why have several internal security group rules been automatically added to my security group?

Rules may be automatically added to your security group in one of the following situations:

  • You have accessed Data Management.
  • You have migrated data by using Alibaba Cloud Data Transmission Service (DTS). The rules associated with the IP addresses of DTS servers are automatically added to your security group.

What happens if a security group rule is configured incorrectly?

If a security group rule is configured incorrectly, the ECS instances associated with this rule are unable to communicate with other devices over the internal network or the Internet.
  • Linux ECS instances cannot be connected to by using SSH, and Windows ECS instances cannot be connected to by using the Remote Desktop Protocol (RDP).
  • The public IP addresses of ECS instances cannot be pinged.
  • The web services provided by the ECS instances cannot be accessed over HTTP or HTTPS.
  • ECS instances associated with this rule cannot communicate with other ECS instances over the internal network.

Are the inbound and outbound rules in a security group counted separately?

No, the inbound and outbound rules in a security group are counted together. The total number of inbound and outbound rules in each security group cannot exceed 200. For more information, see Limits.

Can I adjust the maximum number of rules that can be added to a security group?

No, you cannot adjust the maximum number of rules that can be added to a security group. Each security group can contain a maximum of 200 security group rules. Each ENI of an ECS instance can be added to up to five security groups. This allows each ENI of an ECS instance to be associated with up to 1,000 security group rules.

If the maximum number of rules in each security group has been reached but you want to add more security group rules, perform the following steps:
  1. Check whether redundant rules exist. You can also submit a ticket to ask Alibaba Cloud technical support personnel to check for you.
  2. If redundant rules exist, delete them. If no redundant rules exist, create more security groups.

If you have activated Cloud Firewall, you can configure access control policies on VPC firewalls to control traffic between VPCs. This way, fewer ECS security group rules are required. For more information about how to configure access control policies on VPC firewalls, see Access control on VPC firewalls.

What can I do if I receive a notification that my website has been blocked due to illegal activities and must be rectified?

You can check the records of harmful Internet information to view domain names or URLs that contain harmful information, penalty actions, reasons, and duration. When you are sure that the harmful information from your domain name or URL has been cleared or does not exist, you can apply to unblock the domain name or URL. For more information, see Harmful Internet information.

What can I do if I receive a notification that my website has been penalized for committing external attacks?

You can check the penalty records to view the details about penalty actions, reasons, and duration. If you do not agree with the penalty, provide your feedback and file an appeal. After Alibaba Cloud receives your feedback on the penalty, Alibaba Cloud checks the penalty and determines whether the penalty is appropriate and whether to uphold or rescind the penalty. For more information, see View the penalty list.

How can I view the resource quota?

For more information about how to view the limits and quotas of resources, see Limits.