When creating an ECS instance of the VPC network, you can use the default security group or other security groups of the VPC.  A security group is a virtual firewall to control the inbound and outbound traffic through the ECS instances. 

This document lists some common security group scenarios for the ECS instances of the VPC network.

Case 1: Intranet communication

Communication between ECS instances of the VPC network includes the following two kinds:

  • Within the same VPC, ECS instances in the same security group can communicate with each other by default.
  • Two ECS instances in different VPCs cannot communicate with each other.   To achieve communication between the two ECS instances in different VPCs, use Express Connect or VPN Gateway to connect them and make sure that security group rules for the ECS instances allow mutual access, as shown in the following table.
    Security group rules Rule direction Authorization policy Protocol type and port range Authorization type Authorization object
    Security group configurations for the ECS instance in VPC 1 Inbound Allow

    Windows: RDP

    3389/3389

    Address field access

    Enter the private IP address to access the ECS instance.

    To allow the access of any ECS instance, enter 0.0.0.0/0.

    Inbound Allow

    Linux: SSH

    22/22

    Address field access
    Inbound Allow

    Custom TCP

    Custom

    Address field access
    Security group configurations for the ECS instance in VPC 2 Inbound Allow

    Windows: RDP

    3389/3389

    Address field access

    Enter the private IP address to access the ECS instance.

    To allow the access of any ECS instance, enter 0.0.0.0/0.

    Inbound Allow

    Linux: SSH

    22/22

    Address field access
    Inbound Allow

    Custom TCP

    Custom

    Address field access

Case 2: Deny access of specific IPs or ports

You can configure security groups to deny the access of specific IPs or ports to the ECS instance in a VPC.

Security group rules Rule direction Authorization policy Protocol type and port range Authorization type Authorization object
Deny access of a specific IP address range to all ports of the ECS instance Inbound Drop

All

-1

Address field access

Enter the IP address range to block, in the form of CIDR block, such as 10.0.0.1/32.

Deny access of a specific IP address range to port 22 of the ECS instance Inbound Drop

SSH (22)

22/22

Address field access

Enter the IP address range to block, in the form of CIDR block, such as 10.0.0.1/32.

Case 3: Allow access of a specific IP

If you have configured a public IP for the ECS instance in a VPC, you can add the following security group rules to allow Windows remote logon or Linux SSH logon.

Security group rules Rule direction Authorization policy Protocol type and port range Authorization type Authorization object
Allow Windows remote logon Inbound Allow

RDP

3389/3389

Address field access

To allow the logon of any public IP address, enter 0.0.0.0/0.

To allow only the remote logon of a specific IP address, enter the IP address.

Allow Linux SSH logon  Inbound Allow

SSH

22/22

Address field access

To allow the logon of any public IP address, enter 0.0.0.0/0.

To allow only the remote logon of a specific IP address, enter the IP address.

Case 4: Allow access from the Internet to the HTTP/HTTPS service deployed on the ECS instance

If you have deployed a website on the ECS instance in a VPC and configured an EIP or NAT gateway to provide services, configure the following security group rules to allow access from the Internet.

Security group rules Rule direction Authorization policy Protocol type and port range Authorization type Authorization object
Allow access to port 80  Inbound Allow

HTTP

80/80

Address field access 0.0.0.0/0
Allow access to port 443  Inbound Allow

HTTPS

443/443

Address field access 0.0.0.0/0
Allow access to port 80 Inbound Allow

TCP

80/80

Address field access 0.0.0.0