This topic describes how to authorize internal network communication between ECS instances that are in the same region but belong to different accounts.

Prerequisites

Alibaba Cloud CLI is used to call the ECS API. Make sure that you have installed and configured Alibaba Cloud CLI. For more information, see Install CLI and Configure CLI.

Background information

You can authorize internal network communication in one of the following modes:
  • Authorize internal network communication between ECS instances: You can authorize internal communication between two ECS instances that belong to the same account.
  • Authorize internal network communication between accounts: You can authorize internal network communication between ECS instances that belong to two different accounts across two different security groups that are in the same region, including those purchased after authorization is completed.
    Note To enable internal network communication between different accounts, you need to authorize communication between security groups in each account. These ECS instances can then communicate over the internal network. Modifying the configurations of a security group will affect all instances in the security group as well as the services running on these instances. Use caution when performing this operation.
Security groups are virtual firewalls for ECS instances. Security groups do not provide communication and networking capabilities. After you authorize internal network communication between instances that belong to different security groups, ensure that the instances can establish internal network connection.
  • If all instances are of the classic network type, they must be in the same region to communicate with each other.
  • VPCs are isolated by default. If all instances are of the VPC type, these instances cannot communicate with each other. We recommend that you allow ECS instances to communicate over a public network or through Express Connect, VPN Gateway, or Cloud Enterprise Network (CEN). For more information, see Express Connect, VPN Gateway, and CEN.
  • If instances are of different network types, establish a ClassicLink connection to allow communication between these instances. For more information, see Connect a classic network to a VPC.
  • If instances are in different regions, we recommend that you allow ECS instances to communicate over a public network or through Express Connect, VPN Gateway, or CEN. For more information, see Express Connect, VPN Gateway, and CEN.

Authorize internal network communication between ECS instances

  1. Query internal IP addresses and security group IDs of the two ECS instances.
    You can use the console or call the DescribeInstances operation to obtain security group IDs of the instances. The following table lists the information of the two ECS instances.
    Instance IP address Security group Security group ID
    Instance A 10.0.0.1 sg1 sg-bp1azkttqpldxgtedXXX
    Instance B 10.0.0.2 sg2 sg-bp15ed6xe1yxeycg7XXX
  2. Add a rule to sg1 to allow inbound traffic from 10.0.0.2.
    aliyun ecs AuthorizeSecurityGroup --SecurityGroupId sg-bp1azkttqpldxgtedXXX --RegionId cn-qingdao --IpProtocol all  --PortRange=-1/-1. --SourceCidrIp 10.0.0.2 --NicType intranet
  3. Add a rule to sg2 to allow inbound traffic from 10.0.0.1.
    aliyun ecs AuthorizeSecurityGroup --SecurityGroupId sg-bp15ed6xe1yxeycg7XXX --RegionId cn-qingdao --IpProtocol all  --PortRange=-1/-1. --SourceCidrIp 10.0.0.1 --NicType intranet
    Note
    • In the preceding commands, the region ID cn-qingdao is for reference only. Replace it with your actual region ID.
    • In the preceding commands, the AuthorizeSecurityGroup operation is called to add inbound rules to security groups. Specify the SecurityGroupId and SourceCidrIp parameters.
  4. After a few minutes, run the ping command to check whether the two ECS instances can communicate with each other over the internal network.

Authorize internal network communication between accounts

  1. Query names and security group IDs of the two accounts.
    You can use the console or call the DescribeInstances operation to obtain security group IDs of the ECS instances. The following table lists the information of two accounts.
    Account Account ID Security group Security group ID
    Account A a@aliyun.com sg1 sg-bp1azkttqpldxgtedXXX
    Account B b@aliyun.com sg2 sg-bp15ed6xe1yxeycg7XXX
  2. Add a rule to sg1 to allow inbound traffic from sg2.
    aliyun ecs AuthorizeSecurityGroup --SecurityGroupId sg-bp1azkttqpldxgtedXXX --RegionId cn-qingdao --IpProtocol all  --PortRange=-1/-1. --SourceGroupId sg-bp15ed6xe1yxeycg7XXX --SourceGroupOwnerAccount b@aliyun.com --NicType intranet
  3. Add a rule to sg2 to allow inbound traffic from sg1.
    aliyun ecs AuthorizeSecurityGroup --SecurityGroupId sg-bp15ed6xe1yxeycg7XXX --RegionId cn-qingdao --IpProtocol all  --PortRange=-1/-1. --SourceGroupId sg-bp1azkttqpldxgtedXXX --SourceGroupOwnerAccount a@aliyun.com --NicType intranet
    Note
    • In the preceding commands, the region ID cn-qingdao is for reference only. Replace it with your actual region ID.
    • In the preceding commands, the AuthorizeSecurityGroup operation is called to add inbound rules to security groups. Specify the SecurityGroupId, SourceGroupId, and SourceGroupOwnerAccount parameters.
  4. After a few minutes, run the ping command to check whether the ECS instances can communicate with each other over the internal network.