All Products
Search
Document Center

Elastic Compute Service:modify the internal access control policy of a basic security group

Last Updated:Mar 15, 2024

You can modify the internal access control policy of a basic security group in the Elastic Compute Service (ECS) console to allow or restrict interconnection between ECS instances over the internal network in the security group to increase network security.

Background information

  • If the Internal Access Control Policy parameter of a basic security group is set to intra-group interworking, the security group uses the internal interconnectivity policy and all ECS instances in the security group can communicate with each other over the internal network, regardless of whether custom rules exist in the security group.

  • If the Internal Access Control Policy parameter of a basic security group is set to group isolation and the security group contains no custom rules, the security group uses the internal isolation policy and all ECS instances in the security group cannot communicate with each other over the internal network.

  • By default, advanced security groups use the internal isolation policy, and ECS instances in each advanced security group cannot communicate with each other. The internal access control policy of advanced security groups cannot be modified.

  • The internal isolation policy isolates elastic network interfaces (ENIs), instead of ECS instances. If multiple ENIs are bound to an ECS instance, you must configure the internal isolation policy for the security groups to which each ENI belongs. For more information, see Manage ENIs in security groups.

  • In the following scenarios, instances in the same security group can communicate with each other regardless of the internal isolation policy:

    • The instances share multiple security groups, and the internal isolation policy is not configured for one or more of the security groups.

    • An access control list (ACL) is configured to allow mutual access between instances in the security group.

For more information, see Basic and advanced security groups.

Procedure

  1. Log on to the ECS console.

  2. In the left-side navigation pane, choose Network & Security > Security Groups.

  3. In the top navigation bar, select the region and resource group to which the resource belongs. 地域

  4. On the security group list page, find the security group whose internal access control policy you want to modify and click the security group ID.

  5. In the Basic Information section, click Modify Internal Access Control Policy to set Internal Access Control Policy to intra-group interworking or group isolation.

  6. In the Modify Internal Access Control Policy message, click OK.

Example

In this example, Group1 and Group2 are basic security groups. ECS1, ECS2, and ECS3 are ECS instances. The following figure shows the relationships between the instances and the security groups.

image
  • Group1 contains ECS1 and ECS2 and uses the internal isolation policy.

  • Group2 contains ECS2 and ECS3 and uses the default internal interconnectivity policy.

The following table describes whether the instances can communicate with each other.

Instance

Isolated

Description

ECS1 and ECS2

Yes

ECS1 and ECS2 belong to Group1. Group1 uses the internal isolation policy. ECS1 and ECS2 are isolated from each other.

ECS2 and ECS3

No

ECS2 and ECS3 belong to Group2. Group2 uses the default internal interconnectivity policy. ECS2 and ECS3 can communicate with each other.

ECS1 and ECS3

Yes

ECS1 and ECS3 belong to different security groups. By default, instances in different security groups are isolated from each other. ECS1 and ECS3 cannot communicate with each other.

References

You can call the following API operation to modify the internal access control policy of a basic security group: ModifySecurityGroupPolicy.