Security groups are used to control network access to or from one or more Elastic Compute Service (ECS) instances. Security groups are an important component of security isolation and are used to logically isolate security domains in the cloud. Security group quintuple rules allow you to precisely control the following five elements: source IP address, source port, destination IP address, destination port, and transport layer protocol.

Background information

Previously, security group rules were designed to support the following characteristics:
  • Inbound security group rules support only the settings of source IP addresses, destination ports, and the transport layer protocol.
  • Outbound security group rules support only the settings of destination IP addresses, destination ports, and the transport layer protocol.
In most scenarios, these security group rules provide simple configurations, but have the following limits:
  • You cannot specify a range of source ports in an inbound rule. Inbound traffic over all ports is allowed by default.
  • You cannot specify destination IP addresses in an inbound rule. Inbound traffic from all IP addresses to a security group is allowed by default.
  • You cannot specify a range of source ports in an outbound rule. Outbound traffic over all ports is allowed by default.
  • You cannot specify source IP addresses in an outbound rule. Outbound traffic from all IP addresses within a security group is allowed by default.

Definition

A quintuple rule includes the following parameters: source IP address, source port, destination IP address, destination port, and transport layer protocol.

Quintuple rules are completely compatible with existing security group rules. Quintuple rules provide more fine-grained control over the preceding five elements.

Example quintuple outbound rule:
Source IP address: 172.16.1.0/32
Source port: 22
Destination IP address: 10.0.0.1/32
Destination port: not specified
Transport layer protocol: TCP
Action: Forbid

The example outbound rule indicates that TCP access from 172.16.1.0/32 to 10.0.0.1/32 over port 22 is denied.

Scenarios

  • Some platform products use solutions from third-party vendors to provide users with network services. To prevent unauthorized access from these products to ECS instances of the users, quintuple rules are required to control inbound and outbound traffic more precisely.
  • If ECS instances in a security group are configured to be isolated from each other and you want to allow specified ECS instances to communicate with each other, you must configure quintuple rules.

Configure quintuple rules

You can call API operations to configure quintuple rules.

To configure quintuple rules in the ECS console, submit a ticket.

Parameters

The following table describes the parameters of security group rules.
Parameter Meaning in inbound rules Meaning in outbound rules
SecurityGroupId The ID of the security group to which the current inbound rule belongs. This is the ID of the destination security group. The ID of the security group to which the current outbound rule belongs. This is the ID of the source security group.
DestCidrIp Optional. The range of destination IP addresses.
  • If DestCidrIp is specified, the inbound rule controls traffic to the specified range of destination IP addresses.
  • If DestCidrIp is not specified, the inbound rule controls traffic to all IP addresses within the security group specified by SecurityGroupId.
The range of destination IP addresses. You must specify either DestGroupId or DestCidrIp. If you specify both parameters, DestCidrIp takes priority.
PortRange Required. The range of destination ports. Required. The range of destination ports.
DestGroupId This parameter cannot be manually specified. The value of DestGroupId must be the same as that of SecurityGroupId. The ID of the destination security group. You must specify either DestGroupId or DestCidrIp. If you specify both parameters, DestCidrIp takes priority.
SourceGroupId The ID of the source security group ID. You must specify either SourceGroupId or SourceCidrIp. If you specify both parameters, SourceCidrIp takes priority. This parameter cannot be manually specified. The value of SourceGroupId must be the same as that of SecurityGroupId.
SourceCidrIp The range of source IP addresses. You must specify either SourceGroupId or SourceCidrIp. If you specify both parameters, SourceCidrIp takes priority. Optional. The range of source IP addresses.
  • If SourceCidrIp is specified, the outbound rule controls traffic from the specified range of source IP addresses.
  • If SourceCidrIp is not specified, the outbound rule controls traffic from all IP addresses within the security group specified by SecurityGroupId.
SourcePortRange Optional. The range of source ports. If this parameter is not specified, no source ports are restricted. Optional. The range of source ports. If this parameter is not specified, no source ports are restricted.