A security group functions similar to a firewall for an instance. To ensure security, you must follow the principle of least privilege when setting security group rules for instances. This topic describes four recommended methods to configure interconnection of instances over the classic network.

Prerequisites

You must have registered an Alibaba Cloud account before you follow the instructions provided in the tutorial. If not, create a new Alibaba Cloud account first.

Method 1: Authorize access to IP addresses

  • Scenario: This method is applicable to interconnection between a small number of instances over the internal network.
  • Advantages: Authorizing access to IP addresses involves simple and clear security group rules.
  • Disadvantages: When attempting to interconnect a large number of instances over the internal network, you will be limited by the 200 security group rule quota and be burdened by a high maintenance workload.

Procedure:

  1. Find the target instance and click its ID. In the left-side navigation pane, click Security Groups.
  2. Find the target security group and click Add Rules in the Actions column.
  3. Click the Inbound tab. Click Add Security Group Rule.
  4. Set the security group rule as follows:
    • Action: Allow.
    • Protocol Type: Select the protocol type as needed.
    • Port Range: Set the port range as needed. The format is start port number/end port number.
    • Authorization Type: IPv4 CIDR Block.
    • Authorization Object: Enter the desired private IP addresses of the instances to be interconnected. The format must be a.b.c.d/32. Note that the subnet mask must be /32.
      Authorize access to IP addresses

Method 2: Add instances to the same security group

  • Scenario: If your application architecture is relatively simple, you can add all target instances to the same security group. Such instances need no special rules as they can access each other over the internal network by default.
  • Advantages: Security group rules are simple and clear.
  • Disadvantage: This method is only applicable to a simple network architecture. When the network architecture is adjusted, the authorization method must be modified accordingly.

For more information about the procedure, see Add an ECS instances to a security group.

Method 3: Add instances to a security group created solely for interconnection

  • Scenario: You can add the target instances to a dedicated security group for interconnection. This method is recommended for a network architecture with multiple layers of applications.
  • Advantages: This method is easy to implement and allows you to quickly establish interconnection between instances. The method is applicable in complicated network architectures.
  • Disadvantages: The instances are added to multiple security groups and the security group rules may be complex.

Procedure:

  1. Create a new security group with a name like security group for interconnection. No rules are required for the new security group.
  2. Add the target instances to the new security group. The instances are then interconnected over the internal network by default.

Method 4: Authorize security groups

  • Scenario: You can add the target instances to a dedicated security group for interconnection. This method is recommended for a network architecture with multiple layers of applications.
  • Advantages: This method is easy to implement and allows you to quickly establish interconnection between instances. The method is applicable to complicated network architectures.
  • Disadvantages: The instances are added to multiple security groups and the security group rules may be complex.

Procedure:

  1. Find the target instance and click its ID. In the left-side navigation pane, click Security Groups.
  2. Find the target security group and click Add Rules in the Actions column.
  3. Click the Inbound tab. Click Add Security Group Rule.
  4. Set the security group rule as follows:
    • Action: Allow.
    • Protocol Type: Select the protocol type as needed.
    • Port Range: Set the port range as needed.
    • Authorization Type: Security Group.
    • Authorization Object:
      • If you select the Allow Current Account check box in the Authorization Type field, select the security group IDs of the peer instances for interconnection over the internal network in the Authorization Object field based on your networking requirements.Allow Current Account
      • If you select the Allow Other Accounts check box in the Authorization Type field, enter the security group IDs of the peer instances in the Authorization Object field. Enter the peer account ID in the Account ID field. You can query the account ID by choosing Account Management > Security Settings.Allow Other Accounts

Suggestions

If you determine that an inappropriate level of access has been granted through the applied security group, we recommend that you downgrade the level of access through the following procedure.Procedure

In the preceding figure, Delete 0.0.0.0 means deleting the original security group rule that allows inbound traffic from 0.0.0.0/0.

If one or more security group rules are improperly configured, the interconnection between your instances may be affected. We recommend that you back up security group rules before changing them so that you can easily recover the rules.

A security group maps the role of an instance in the overall application architecture. We recommend that you plan the firewall rules based on the application architecture. For example, in a common three-tier Web application architecture, you can plan three security groups and associate them to instances deployed with applications or databases as follows:
  • Web layer security group: allows port 80.
  • Application layer security group: allows port 8080.
  • Database layer security group: allows port 3306.