edit-icon download-icon

Container Service security group rules

Last Updated: Dec 07, 2017

View security group rules

Procedure

  1. Log on to the Container Service console.

  2. Click Clusters in the left-side navigation pane.

  3. On the Cluster List page, click Manage at the right of a cluster.

    1

  4. Click the security group ID to jump to the details page of this security group on the Elastic Compute Service (ECS) console.

    2

  5. Click Security Group Rules in the left-side navigation pane. You can view the security group rules.

    3

Security group rules

For the Container Service clusters created after February 28, 2017, the security groups created by default have been reinforced. Alibaba Cloud Container Service only sets the inbound security group rules. The opening rules are as follows:

Virtual Private Cloud (VPC) security group:

4

Classic network security group (the Internet inbound and intranet inbound):

5

6

Note:

  • Ports 443 and 80 are opened by default for the convenience of your business Web services. You can open or close the ports per your needs.
  • We recommend that you retain the ICMP rules for communication between nodes and the convenience of troubleshooting. Some tools also depend on ICMP.
  • Container Service depends on port 22 to initialize the ECS instance. And by using this port, you can use SSH to log on to the ECS instance and configure the clusters.
  • The VPC security group sets the basic address of the container network segment as the Authorization Object. In this example, it is 172.18.0.0/16. This is related to the initial ClasslessInter-Domain Routing (CIDR) block of Container Service that you set when creating the VPC cluster (for details, see Create a cluster). The Authorization Object ensures the communication between containers.

For the clusters created before February 28, 2017, the security group rules are loose. Take the classic network security group rules as an example.

7

8

To tighten the rules, refer to the configurations of the security groups created after February 28, 2017 and make the following changes by using Add Security Group Rules and Delete in the preceding figure:

  • Add a rule in the intranet inbound and Internet inbound, with Allow selected as the Authorization Policy and All ICMP selected as the Protocol Type.

  • To directly access ports 80, 443, or other ports of the virtual machine (VM), add the intranet and Internet rules to open these ports.

    Note: Make sure you open all the ports you need. Otherwise, some services will become inaccessible. Do not open ports accessed by using Server Load Balancer instances.

  • Delete the Internet inbound rules and intranet inbound rules with -1/-1 as the port range and 0.0.0.0 as the address range.

Security configuration principles

  • Each cluster has one security group.

    Every Container Service cluster manages one security group. You can configure rules for this security group.

  • Minimal permission principle.

    To ensure the security of your cluster, we recommend that the security group opens the minimal permissions to the external.

  • For classic network security groups, the Internet and intranet rules are configured separately.

    According to the minimal permission principle, add rules only for the NIC type. By default, ECS instances within a security group can communicate with one another. As a result, to add intranet inbound rules, clarify the reason for the addition and whether or not the access from ECS instances outside the security group is required.

  • Security groups created by Container Service add some default rules.

    For easier operations on ECS instances, security groups created by Container Service add some default rules, for example, ports 80 and 443 are opened. Delete the rules if you don’t need them.

    Note: Do not block port 22. Container Service initializes the ECS instances by using this port.

  • Try to communicate by using the container intranet and do not expose communications to the host machine.

  • When authorizing ECS instances outside the security group to access the security group, authorize a security group, instead of an individual IP address.

    To authorize ECS instances outside the security group to access the current security group, create a new security group, add these ECS instances to the new security group, and then authorize the new security group to access the current security group.

  • Use VPC network in priority. Do not bind an Elastic IP (EIP) address to a node unless necessary. The VPC network has a better isolation performance.

  • Open the container network segment at the VPC intranet outbound/inbound.

    Otherwise, the network between containers is disconnected.

Thank you! We've received your feedback.