This topic describes how to configure security group rules to manage network traffic for common scenarios, such as providing web services or controlling remote access. These guidelines help ensure the security and reliability of your cloud resources.
Security group guidelines
1. Identify needs and plan security groups
Define your business needs and specific security requirements. For example, determine which services must be publicly accessible and which must be restricted to internal access.
Isolate servers for public and internal services in different security groups
Exposing unnecessary service ports can create security vulnerabilities. Apply the strictest rules to the security groups for your ECS instances. Adopt a default-deny policy, which closes all ports and protocols by default and opens only the specific ports that your services require.
A security group for public-facing servers should have a clear and simple purpose. Avoid running other services, such as MySQL or Redis, on the same server. We recommend that you install these backend services on an ECS instance that does not have a public IP address. Then, grant access by creating a security group rule that authorizes access from another security group.
Use different security groups for different applications
In a production environment, servers with different operating systems or applications typically do not belong to the same group for load balancing. Different services require different ports to be opened or closed. Assign resources with different roles to different security groups.
For example, a Linux instance may require TCP port 22 for SSH access, while a Windows instance may require TCP port 3389 for Remote Desktop connections.
Even if instances use the same image type but provide different services, you should assign them to different security groups if they do not need to communicate over the internal network. This approach decouples your services, simplifies future rule changes, and ensures each security group has a single responsibility.
When you plan and add new applications, you should plan your security groups just as you plan your subnets with vSwitches. Use both
CIDR blocks andsecurity groups to define clear boundaries between service providers and consumers.Use separate security groups for production and test environments
To better isolate systems, you might build multiple test environments and one production environment. To properly isolate your networks, configure different security policies for each environment. This prevents changes in a test environment from accidentally affecting the stability of your production environment.
By creating different security groups, you can restrict application access domains and prevent communication between production and test environments. You can also assign different security groups to multiple test environments to prevent them from interfering with each other, which improves development efficiency.
Do not assign public IP addresses to resources that do not require public access
Connect to an ECS instance by using methods that do not require a
public IP address, such as Workbench,Session Manager, or a jump server, to minimize public exposure. To directly access a service deployed in a private network, you can use the port forwarding feature. For more information, see Use port forwarding of Session Manager CLI to access instances that do not have public IP addresses.In a distributed application, resources are often separated into different tiers and groups. For an ECS instance that does not provide public services, do not assign a
public IP address. If you have multiple servers that provide public access, useSLBto distribute public traffic. This improves system availability and prevents single points of failure. For more information, see .Within a
VPC, if an ECS instance without apublic IP addressneeds to access the internet, use aNAT gateway. It acts as a proxy for internet access. You only need to configure SNAT rules for a specificCIDR blockor subnet to enable public access. This prevents you from exposing services to the internet by assigning apublic IP address(orelastic IP address) when only outbound internet access is required. For more information, see Create and manage SNAT entries.Use security groups as whitelists
A
security groupshould function as a whitelist. By default, it denies all access. You can add allow rules to permit traffic on specific port ranges from authorized sources. Open as few ports and assign as fewpublic IP addresses as possible. Associating anelastic IP addressis a convenient way to access a production machine for troubleshooting, but it exposes the entire machine to the internet.
2. Configure security group rules
A security group acts as a virtual firewall that controls inbound and outbound traffic for an ECS instance. You should open only necessary communication ports and restrict source IP address ranges as much as possible.
In a VPC, a single security group rule can control both public and private network access. This means you can configure one rule to restrict or allow traffic from both the internet and your internal network.
Default policies differ between basic and advanced security groups
By default, both
basic security groups andadvanced security groups deny allinboundtraffic. However, theiroutboundpolicies differ: abasic security groupallows alloutboundtraffic, whereas anadvanced security groupdenies it.Internal connectivity differs across security groups and security group types
Even if they belong to the same account, ECS instances in different security groups are isolated from each other over the internal network. By default, instances within the same
basic security groupcan communicate with each other, while instances within the sameadvanced security groupare isolated from each other.Add rules based on the principle of least privilege
For example, when you open port 22 on a Linux
instancefor remote login, allow access only from specific IP addresses.WarningAuthorizing access from
0.0.0.0/0allows all IP addresses to access theinstance, which exposes all ports. This is highly insecure. The correct practice is to deny access to all ports by default. For example, if you need to expose web services, you should open only common TCP ports such as 80, 8080, and 443, and keep all other ports closed.Configure
security grouprules based on your business needs and the principle of least privilege. Avoid opening all ports (use::/0or0.0.0.0/0with extreme caution) to prevent security risks. For more information about the types of authorization objects, see Security group rules.Isolate instances within a group based on the principle of least privilege
If instances in a
basic security groupdo not need to communicate with each other, set the internal access policy for thesecurity groupto isolate the instances.Keep the purpose of rules within a single security group consistent
Organize rules into multiple security groups based on their purpose and associate instances with the relevant groups. A single
security groupwith too many rules increases management complexity.Choose authorization objects carefully
The authorization object for a
security grouprule can be an IP address, anothersecurity group, or aCIDR block.If you want to enable network communication between resources in different security groups, you should authorize access by security group. For example, for a distributed application, you may use different security groups for different components. If these security groups cannot communicate with each other, you should not authorize access by IP address or CIDR block. Instead, you should directly authorize access from all resources in the other security group. For instance, if you created separate security groups for the web and database components of your application,
sg-webandsg-database, you can add a rule tosg-database. This rule authorizes all resources in thesg-websecurity group to access the MySQL (3306) port.For internal network access, authorize a source
security groupinstead of aCIDR block.Typical applications use default ports
Applications use specific server ports to communicate with external services. For more information, see Common ports.
3. Continuously review and optimize rules
As your business evolves, your existing security groups and rules may become outdated. Regularly review your architecture and make adjustments based on the latest security conditions. Before you modify a security group in a production environment, first clone it and test the rules in a test environment to ensure traffic flows correctly. Then, apply the changes to the production security group. This practice helps prevent service interruptions caused by incorrect modifications.
Use cases
Control inbound traffic to ECS instances
Inbound traffic is traffic from external resources to your ECS instances. You can configure inbound security group rules to allow specified users to access services deployed on your ECS instances. By default, all inbound traffic is denied, so you need to configure only Allow rules for the traffic you want to permit. Relevant use cases include:
Case 1: Provide web services from a website deployed on an ECS instance
Case 2: Allow remote access for specific users to an ECS instance
Case 3: Implement security policies for databases deployed on ECS instances
Case 5: Enable internal communication between instances in different security groups
Control outbound traffic from ECS instances
Outbound traffic is traffic from your ECS instances to external resources. You can configure outbound security group rules to deny access from your ECS instances to specified external resources. For a basic security group, all outbound traffic is allowed by default, so you need to add only Deny rules for traffic you want to block. A relevant use case includes:
Case 1: Provide web services
If a website deployed on an Alibaba Cloud ECS instance must be accessible to any user on the internet, configure a security group rule that allows inbound traffic from any source only on TCP ports 80 (HTTP) and 443 (HTTPS). This configuration ensures that the website is accessible while restricting direct access to other services on the server.
The following table shows an example of this security group rule configuration.
Rule direction | Action | Priority | Protocol type | Port range | Authorization object |
Inbound | Allow | 1 | Custom TCP | Service ports:
| 0.0.0.0/0 |
If you cannot access the website after you add the security group rule, check whether the service ports are functioning correctly. For more information, see Troubleshoot services that are inaccessible from ECS instances.
Case 2: Allow remote access
When you deploy a service on an Alibaba Cloud ECS instance and need to connect to it remotely, configure a security group rule. Typically, you need to open TCP port 22 (SSH) or a custom SSH port. To reduce the risk of malicious attacks, restrict access to the IP address of a specific user, such as an administrator, or a specific server.
The following table shows an example of this security group rule configuration.
Rule direction | Action | Priority | Protocol type | Port range | Authorization object |
Inbound | Allow | 1 | Custom TCP |
| 192.168.XX.XX Note The IP address of a specific user or server. Enter a You can use a service like WhatIsMyIP.com to find your local network's |
When you use Alibaba Cloud Workbench to remotely connect to an instance, you need to allow only specific authorization objects. The following table shows an example of an inbound security group rule.
Action | Priority | Protocol type | Port range | Authorization object |
Allow | 1 | Custom TCP |
|
|
Case 3: Configure database security
Database services typically require stricter security policies. Configure a security group to allow inbound connections on specific ports only from specific IP addresses or security groups, such as the security group containing your application servers. This ensures the privacy and security of database access.
If your current inbound rules include an allow rule from 0.0.0.0/0, review which ports and services must be publicly exposed. If you determine that a port should not be publicly accessible, add a deny rule for that port. For example, do not expose the default MySQL port 3306 to the internet. To prevent this, add a deny rule for that port and set its priority to 100 (the lowest priority).
The following table shows examples of security group rule configurations for common databases that use their default ports.
Database type | Rule direction | Action | Priority | Protocol type | Port range | Authorization object |
MySQL | Inbound | Allow | 1 | Custom TCP | 3306/3306 | 172.16.XX.XX |
Oracle | Inbound | Allow | 1 | Custom TCP | 1521/1521 | 192.168.XX.XX |
MS SQL | Inbound | Allow | 1 | Custom TCP | 1433/1433 | 192.168.XX.XX/16 |
PostgreSQL | Inbound | Allow | 1 | Custom TCP | 5432/5432 | sg-bp1hv6wvmegs036**** |
Redis | Inbound | Allow | 1 | Custom TCP | 6379/6379 | 160998252992****/sg-bp174yoe2ib1sqj5**** |
Replace the example IP addresses, CIDR blocks, Alibaba Cloud account IDs, and security group IDs with your actual values.
Case 4: Allow specific protocols
Based on your business requirements, you may need to restrict specific network protocols, such as allowing communication only on specific TCP or UDP ports. The ICMP protocol is primarily used to transmit control messages between IP hosts and routers. You must allow access over the ICMP protocol to perform certain tests. For example, when you run the ping command on a client to test network connectivity, you must allow access over the ICMP protocol. The following table provides examples of security group rule configurations.
Rule direction | Action | Priority | Protocol type | Port range | Authorization object |
Inbound | Allow | 1 |
| -1/-1 | Client IP address Note Enter an IPv4 or IPv6 address depending on your network environment. |
Case 5: Enable internal communication
If you need to share data between instances in the same VPC, such as allowing an instance in Security Group A to access shared files on an instance in Security Group B via FTP, you can authorize access between the security groups. Authorizing another security group is more convenient than authorizing individual IP addresses or CIDR blocks because it allows you to grant access to an entire group of instances at once without configuring permissions for each instance.
You cannot use security group rules to enable communication between instances that are in different VPCs.
If your services can be deployed in the same
VPC, you can establish connectivity by using theVPC's internal network. For more information, see Change the VPC of an ECS instance.If your services require instances to be in different
VPCs, Alibaba Cloud provides several solutions to connect them, such asVPC peering connection,PrivateLink, andCloud Enterprise Network. To learn about the differences, see VPC connections.
Scenario 1: Security groups in the same account
If Security Group A and Security Group B belong to the same account, set the authorization object to the ID of the source
security group. The following table shows an example of thissecurity grouprule configuration.Rule direction
Action
Priority
Protocol type
Port range
Authorization object
Inbound
Allow
1
Custom TCP
21/21
sg-bp1hv6wvmegs036****
NoteReplace the example
security groupID with your actual value.Scenario 2: Security groups in different accounts
If Security Group A and Security Group B belong to different accounts, set the authorization object to the ID of the source Alibaba Cloud account and the ID of the source
security group. The following table shows an example of thissecurity grouprule configuration.Rule direction
Action
Priority
Protocol type
Port range
Authorization object
Inbound
Allow
1
Custom TCP
21/21
160998252992****/sg-bp174yoe2ib1sqj5****
NoteReplace the example Alibaba Cloud account ID and
security groupID with your actual values.
Case 6: Restrict outbound access
To restrict an instance to accessing only specific websites, use its security group as a whitelist. Set the default outbound rule to deny all traffic, and then add rules to allow access only to the IP addresses of the specified websites.
When you configure these security group rules, note the following:
When multiple rules match a request based on protocol, port, and authorization object, the system determines which rule takes effect based on priority and action. A session is established only if the final effective rule has an action of
Allow.A smaller priority value indicates a higher priority. If two rules have the same priority but different actions (
Allowvs.Deny), theDenyrule takes precedence. To correctly implement a whitelist foroutboundtraffic, theDenyrule must have a lower priority (a higher number) than theAllowrules. This ensures that theAllowrules take effect.
The following table shows an example of this security group rule configuration.
Rule direction | Action | Priority | Protocol type | Port range | Authorization object |
Outbound | Deny | 2 | All | -1/-1 | 0.0.0.0/0 |
Outbound | Allow | 1 | Custom TCP | 80/80 | 47.96.XX.XX |
Outbound | Allow | 1 | Custom TCP | 443/443 | 121.199.XX.XX |
These rules allow the instance in the security group to access HTTP services on port 80 at 47.96.XX.XX and HTTPS services on port 443 at 121.199.XX.XX, while all other outbound access is denied.