When you create an Elastic Compute Service (ECS) instance connected to a Virtual Private Cloud (VPC) network, you can add the instance to the default security group, or select a user-created security group in the VPC network. A security group is a virtual firewall used to control the inbound and outbound traffic of ECS instances in the group.

This topic lists some commonly used security group settings for VPC-connected ECS instances.

Use case 1: Establish internal network connections

Communication between VPC-connected ECS instances includes the following:

  • By default, ECS instances in the same security group of a VPC network can communicate with each other.
  • ECS instances in different VPC networks cannot communicate with each other. To establish a connection between two ECS instances in different VPC networks, you must use Express Connect, VPN Gateway, or CEN to connect the VPC networks. Make sure that security group rules for the ECS instances allow mutual access.
    Security group rules Rule direction Authorization policy Protocol type and port range Authorization type Authorization object
    Security group configuration for the ECS instance in VPC 1 Inbound Allow

    Windows: RDP

    3389/3389

    CIDR block
    The private IP address of the ECS instance in VPC 2.
    Note Enter 0.0.0.0/0 to allow all ECS instances in VPC 2 to communicate with the ECS instance in VPC 1.
    Inbound Allow

    Linux: SSH

    22/22

    CIDR block
    Inbound Allow

    Custom TCP

    Custom

    CIDR block
    Security group configuration for the ECS instance in VPC 2 Inbound Allow

    Windows: RDP

    3389/3389

    CIDR block
    The private IP address of the ECS instance in the VPC 1.
    Note Enter 0.0.0.0/0 to allow all ECS instances in VPC 1 to communicate with the ECS instance in VPC 2.
    Inbound Allow

    Linux: SSH

    22/22

    CIDR block
    Inbound Allow

    Custom TCP

    Custom

    CIDR block

Use case 2: Block requests from specified IP addresses or ports

You can configure security groups for a VPC-connected ECS instance to block requests from specified IP addresses or ports.

Security group rules Rule direction Authorization policy Protocol type and port range Authorization type Authorization object
Forbid IP addresses in a specified CIDR block to access all ports of the ECS instance Inbound Deny

All

-1

CIDR block

The CIDR block to be blocked, such as 10.0.0.1/32.

Forbid IP addresses in a specified CIDR block to access TCP port 22 of the ECS instance Inbound Deny

SSH(22)

22/22

CIDR block

The CIDR block to be blocked, such as 10.0.0.1/32.

Use case 3: Allow only specified IP addresses to access an ECS instance through remote logon

Assume that you have assigned a public IP address to your VPC-connected ECS instance by using NAT Gateway or Elastic IP Address (EIP). In this case, you can add the following security group rules to allow remote logon through Windows or SSH logon through Linux.

Security group rules Rule direction Authorization policy Protocol type and port range Authorization type Authorization object
Allow remote logon through Windows Inbound Allow

RDP

3389/3389

CIDR block
The IP address of the ECS instance that is allowed to be accessed.
Note Enter 0.0.0.0/0 to allow all public IP addresses to access the ECS instance.
Allow SSH logon through Linux Inbound Allow

SSH

22/22

CIDR block
The IP address of the ECS instance that is allowed to be accessed.
Note Enter 0.0.0.0/0 to allow all public IP addresses to access the ECS instance.

Use case 4: Allow users to access the HTTP/HTTPS service deployed on an ECS instance over the Internet

Assume that your website is hosted on a VPC-connected ECS instance and your website provides service to users on the Internet through an Elastic IP address or NAT Gateway instance. In this case, you must configure security group rules to allow users to access your website over the Internet.

Security group rules Rule direction Authorization policy Protocol type and port range Authorization type Authorization object
Allow user traffic from HTTP port 80 Inbound Allow

HTTP

80/80

CIDR block 0.0.0.0/0
Allow user traffic from HTTPS port 443 Inbound Allow

HTTPS

443/443

CIDR block 0.0.0.0/0
Allow user traffic from TCP port 80 Inbound Allow

TCP

80/80

CIDR block 0.0.0.0