Security groups are used to configure network access control for one or more ECS instances. As an important means of security isolation, security groups logically isolate security domains on the cloud. Security group quintuple rules allow you to precisely control the following five parameters: source IP address, source port, destination IP address, destination port, and transport layer protocol.

Background information

Previously, security group rules have the following characteristics:
  • The inbound rules support only the settings of the source IP address, destination port, and transport layer protocol.
  • The outbound rules support only the settings of the destination IP address, destination port, and transport layer protocol.
In most scenarios, these security group rules provide simple configurations, but have the following drawbacks:
  • You cannot specify a range of source ports in an inbound rule. Inbound traffic over all ports is allowed by default.
  • You cannot specify the destination IP address in an inbound rule. Inbound traffic from all IP addresses within a security group is allowed by default.
  • You cannot specify a range of source ports in an outbound rule. Outbound traffic over all ports is allowed by default.
  • You cannot specify the source IP address in an outbound rule. Outbound traffic from all IP addresses within a security group is allowed by default.

Definition

A quintuple rule includes the following parameters: source IP address, source port, destination IP address, destination port, and transport layer protocol.

Quintuple rules are designed to provide more fine-grained control over the preceding five parameters, while completely compatible with existing security group rules.

Example quintuple outbound rule:
Source IP address: 172.16.1.0/32
Source port: 22
Destination IP address: 10.0.0.1/32
Destination port: no restriction
Transport layer protocol: TCP
Action: Forbid

The example outbound rule indicates that TCP access from 172.16.1.0/32 to 10.0.0.1/32 over port 22 is denied.

Scenarios

  • Some platform products use solutions from third-party vendors to provide users with network services. To prevent unauthorized access from these products to ECS instances of the users, quintuple rules are required to control inbound and outbound traffic more precisely.
  • If ECS instances in a security group are configured to be isolated from each other and you want to allow specified ECS instances to communicate with each other, you must configure quintuple rules.

Configure quintuple rules

You can call API operations to configure quintuple rules.

Parameters

The following table describes the parameters of security group rules.
Parameter Meaning in inbound rules Meaning in outbound rules
SecurityGroupId The ID of the security group to which the current inbound rule belongs. This is the ID of the destination security group. The ID of the security group to which the current outbound rule belongs. This is the ID of the source security group.
DestCidrIp Optional. The range of destination IP addresses.
  • If DestCidrIp is specified, you can control the range of destination IP addresses in an inbound rule more precisely.
  • If DestCidrIp is not specified, the range of IP addresses in an inbound rule includes all IP addresses in the security group with the specified SecurityGroupId.
The range of destination IP addresses. Either DestGroupId or DestCidrIp must be specified. If both are specified, DestCidrIp takes priority.
PortRange Required. The range of destination ports. Required. The range of destination ports.
DestGroupId Manual input is not allowed. The value of DestGroupId must be the same as that of SecurityGroupId. The ID of the destination security group. You must specify either DestGroupId or DestCidrIp. If you specify both parameters, DestCidrIp takes priority.
SourceGroupId The ID of the source security group ID. You must specify either SourceGroupId or SourceCidrIp. If you specify both parameters, SourceCidrIp takes priority. Manual input is not allowed. The value of SourceGroupId must be the same as that of SecurityGroupId.
SourceCidrIp The range of source IP addresses. You must specify either SourceGroupId or SourceCidrIp. If you specify both parameters, SourceCidrIp takes priority. Optional. The range of source IP addresses.
  • If SourceCidrIp is specified, you can control the range of source IP addresses in an outbound rule more precisely.
  • If SourceCidrIp is not specified, the range of IP addresses in an outbound rule includes all IP addresses in the security group with the specified SecurityGroupId.
SourcePortRange Optional. The range of source ports. If this parameter is not specified, no source ports are restricted. Optional. The range of source ports. If this parameter is not specified, no source ports are restricted.