Security groups are used to set network access control for one or more ECS instances. As an important means of security isolation, security groups allow you to divide security domains on the cloud. Security group quintuple rules let you precisely control the following five parameters: the source IP address, source port, destination IP address, destination port, and transport layer protocol.

Background information

Previously, security group rules have the following characteristics:
  • The ingress rules only support the settings of the source IP address, the destination port, and the transport layer protocol.
  • The egress rules only support the settings of the destination IP address, the destination port, and the transport layer protocol.
In most scenarios, these types of security group rules simplify the setup process, but possess the following disadvantages:
  • The source port range of an ingress rule is not restricted. That is, all source ports are permitted by default.
  • The destination IP address of an ingress rule is not restricted. That is, all IP addresses in a security group are permitted by default.
  • The source port range of an egress rule is not restricted. That is, all source ports are permitted by default.
  • The source IP address of an egress rule is not restricted. That is, all IP addresses in a security group are permitted by default.

Definition of a quintuple rule

A quintuple rule includes the following parameters: a source IP address, a source port, a destination IP address, a destination port, and a transport layer protocol.

Quintuple rules are designed to provide more fine-grained control over the preceding five parameters, while completely compatible with the existing security group rules.

The following shows an example quintuple rule:
Source IP address: 172.16.1.0/32
Source port: 22
Destination IP address: 10.0.0.1/32
Destination port: no restriction
Transport layer protocol: TCP
Action: Drop

The example egress rule indicates that 172.16.1.0/32 is prohibited from accessing 10.0.0.1/32 from port 22 through TCP.

Scenarios

  • Some platform products are connected to the solutions of third-party vendors to provide them with network services. To prevent these products from illegally accessing users' ECS instances, it is needed to set quintuple rules in the security group to control the inbound and outbound traffic more precisely.

  • If your instances are isolated within a security group due to settings, and you want to precisely control the access between several ECS instances in the group, you can set security group quintuple rules to meet your needs.

How to configure quintuple rules

You can use OpenAPI to set quintuple rules.

​Parameters

The following table describes the parameters.
Parameter Meaning in ingress rules Meaning in egress rules
SecurityGroupId The ID of the security group to which the current ingress rule belongs (that is, the ID of the destination security group). The ID of the security group to which the current egress rule belongs (that is, the ID of the source security group).
DestCidrIp Destination IP address range; optional.
  • If DestCidrIp is specified, you can control the destination IP address range in an ingress rule more precisely.
  • If DestCidrIp is not specified, the IP address range in an ingress rule includes all the IP addresses in the security group indicated by the SecurityGroupId.
Destination IP addresses. Either DestGroupId or DestCidrIp must be specified. If both are specified, DestCidrIp takes priority.
PortRange Destination port range; required. Destination port range; required.
DestGroupId Input not allowed. The destination security group ID must be a SecurityGroupId. The destination security group ID. Either DestGroupId or DestCidrIp must be specified. If both are specified, DestCidrIp takes priority.
SourceGroupId The source security group ID. Either SourceGroupId or SourceCidrIp must be specified. If both are specified, SourceCidrIp takes priority. Input not allowed. The source security group ID in an egress rule must be a SecurityGroupId.
SourceCidrIp Source IP address range. Either SourceGroupId or SourceCidrIp must be specified. If both are specified, SourceCidrIp takes a higher priority. Source IP address range; optional.
  • If SourceCidrIp is specified, you can control the source IP address range in an egress rule more precisely.
  • If SourceCidrIp is not specified, the source IP addresses in an egress rule include all the IP addresses in the security group indicated by the SecurityGroupId.
SourcePortRange Source port range; optional. If it is not specified, source ports are not restricted. Source port range; optional. If it is not specified, source ports are not restricted.