When you create an Elastic Compute Service (ECS) instance connected to a Virtual Private Cloud (VPC) network, you can add the instance to the default security group, or select a user-created security group in the VPC network. A security group is a virtual firewall used to control the inbound and outbound traffic of ECS instances in the group.
This topic lists some commonly used security group settings for VPC-connected ECS instances.
Use case 1: Establish internal network connections
Communication between VPC-connected ECS instances includes the following:
- By default, ECS instances in the same security group of a VPC network can communicate with each other.
- ECS instances in different VPC networks cannot communicate with each other. To establish
a connection between two ECS instances in different VPC networks, you must use Express
Connect, VPN Gateway, or CEN to connect the VPC networks. Make sure that security
group rules for the ECS instances allow mutual access.
Security group rules Rule direction Authorization policy Protocol type and port range Authorization type Authorization object Security group configuration for the ECS instance in VPC 1 Inbound Allow Windows: RDP
3389/3389
CIDR block The private IP address of the ECS instance in VPC 2.Note Enter 0.0.0.0/0 to allow all ECS instances in VPC 2 to communicate with the ECS instance in VPC 1.Inbound Allow Linux: SSH
22/22
CIDR block Inbound Allow Custom TCP
Custom
CIDR block Security group configuration for the ECS instance in VPC 2 Inbound Allow Windows: RDP
3389/3389
CIDR block The private IP address of the ECS instance in the VPC 1.Note Enter 0.0.0.0/0 to allow all ECS instances in VPC 1 to communicate with the ECS instance in VPC 2.Inbound Allow Linux: SSH
22/22
CIDR block Inbound Allow Custom TCP
Custom
CIDR block
Use case 2: Block requests from specified IP addresses or ports
You can configure security groups for a VPC-connected ECS instance to block requests from specified IP addresses or ports.
| Security group rules | Rule direction | Authorization policy | Protocol type and port range | Authorization type | Authorization object |
|---|---|---|---|---|---|
| Forbid IP addresses in a specified CIDR block to access all ports of the ECS instance | Inbound | Deny |
All -1 |
CIDR block |
The CIDR block to be blocked, such as 10.0.0.1/32. |
| Forbid IP addresses in a specified CIDR block to access TCP port 22 of the ECS instance | Inbound | Deny |
SSH(22) 22/22 |
CIDR block |
The CIDR block to be blocked, such as 10.0.0.1/32. |
Use case 3: Allow only specified IP addresses to access an ECS instance through remote logon
Assume that you have assigned a public IP address to your VPC-connected ECS instance by using NAT Gateway or Elastic IP Address (EIP). In this case, you can add the following security group rules to allow remote logon through Windows or SSH logon through Linux.
| Security group rules | Rule direction | Authorization policy | Protocol type and port range | Authorization type | Authorization object |
|---|---|---|---|---|---|
| Allow remote logon through Windows | Inbound | Allow |
RDP 3389/3389 |
CIDR block |
The IP address of the ECS instance that is allowed to be accessed.
Note Enter 0.0.0.0/0 to allow all public IP addresses to access the ECS instance.
|
| Allow SSH logon through Linux | Inbound | Allow |
SSH 22/22 |
CIDR block |
The IP address of the ECS instance that is allowed to be accessed.
Note Enter 0.0.0.0/0 to allow all public IP addresses to access the ECS instance.
|
Use case 4: Allow users to access the HTTP/HTTPS service deployed on an ECS instance over the Internet
Assume that your website is hosted on a VPC-connected ECS instance and your website provides service to users on the Internet through an Elastic IP address or NAT Gateway instance. In this case, you must configure security group rules to allow users to access your website over the Internet.
| Security group rules | Rule direction | Authorization policy | Protocol type and port range | Authorization type | Authorization object |
|---|---|---|---|---|---|
| Allow user traffic from HTTP port 80 | Inbound | Allow |
HTTP 80/80 |
CIDR block | 0.0.0.0/0 |
| Allow user traffic from HTTPS port 443 | Inbound | Allow |
HTTPS 443/443 |
CIDR block | 0.0.0.0/0 |
| Allow user traffic from TCP port 80 | Inbound | Allow |
TCP 80/80 |
CIDR block | 0.0.0.0 |