When creating an ECS instance of the VPC network, you can either use the default security group or use other existing security groups in the VPC. A security group is a virtual firewall used to control the inbound and outbound traffic of an ECS instance.

This topic lists some common security group configurations for ECS instances of the VPC network.

Case 1: Intranet communication

The following are two types of communication methods between ECS instances of the VPC network:

  • By default, ECS instances in the same security group of the same VPC can communicate with each other.
  • ECS instances in different VPCs cannot communicate with each other. To achieve communication between two ECS instances in different VPCs, use Express Connect, VPN Gateway, or CEN to connect them. When doing so, make sure the security group rules allow access between the target ECS instances, as shown in the following table.
    Security group rules Rule direction Authorization policy Protocol type and port range Authorization type Authorization object
    Security group configurations for the ECS instance in VPC 1 Inbound Allow

    Windows: RDP

    3389/3389

    Address field access

    Enter the private IP address to access the ECS instance.

    To allow the access of any ECS instance, enter 0.0.0.0/0.

    Inbound Allow

    Linux: SSH

    22/22

    Address field access
    Inbound Allow

    Custom TCP

    Custom

    Address field access
    Security group configurations for the ECS instance in VPC 2 Inbound Allow

    Windows: RDP

    3389/3389

    Address field access

    Enter the private IP address to access the ECS instance.

    To allow the access of any ECS instance, enter 0.0.0.0/0.

    Inbound Allow

    Linux: SSH

    22/22

    Address field access
    Inbound Allow

    Custom TCP

    Custom

    Address field access

Case 2: Deny the access of specific IP addresses or ports

You can configure security groups to deny the access of specific IP addresses or ports to an ECS instance.

Security group rules Rule direction Authorization policy Protocol type and port range Authorization type Authorization object
Deny the access of a specific IP address range to all ports of the ECS instance Inbound Drop

All

-1

Address field access

Enter the IP address range to block, in the form of CIDR block, such as 10.0.0.1/32.

Deny the access of a specific IP address range to port 22 of the ECS instance Inbound Drop

SSH (22)

22/22

Address field access

Enter the IP address range to block, in the form of CIDR block, such as 10.0.0.1/32.

Case 3: Allow the remote access of a specific IP address

If you have configured a NAT Gateway or EIP for an ECS instance in a VPC, you can add the following security group rules to allow Windows remote logon or Linux SSH logon.

Security group rules Rule direction Authorization policy Protocol type and port range Authorization type Authorization object
Allow Windows remote logon Inbound Allow

RDP

3389/3389

Address field access

To allow the logon of any public IP address, enter 0.0.0.0/0.

To allow only the remote logon of a specific IP address, enter the IP address.

Allow Linux SSH logon  Inbound Allow

SSH

22/22

Address field access

To allow the logon of any public IP address, enter 0.0.0.0/0.

To allow only the remote logon of a specific IP address, enter the IP address.

Case 4: Allow access from the Internet to the HTTP/HTTPS service deployed on the ECS instance

If you have deployed a website on an ECS instance in a VPC and configured an EIP or NAT Gateway to provide services, configure the following security group rules to allow access from the Internet.

Security group rules Rule direction Authorization policy Protocol type and port range Authorization type Authorization object
Allow access to port 80  Inbound Allow

HTTP

80/80

Address field access 0.0.0.0/0
Allow access to port 443  Inbound Allow

HTTPS

443/443

Address field access 0.0.0.0/0
Allow access to port 80 Inbound Allow

TCP

80/80

Address field access 0.0.0.0