All Products
Search

This Product

    Elastic Compute Service:Security group quintuple rules

    Document Center

    Elastic Compute Service:Security group quintuple rules

    Last Updated:Mar 29, 2024

    Security groups are used to control network access to or from one or more Elastic Compute Service (ECS) instances. Security groups are an important component of security isolation in the cloud. Security group quintuple rules allow you to manage network traffic in a fine-grained manner by controlling the following five elements: source IP address, source port, destination IP address, destination port, and transport layer protocol. This topic describes the definition, scenarios, configuration methods, and parameters of security group quintuple rules.

    Background information

    Previously, security group rules were designed to support the following configurations:

    • Inbound security group rules allow you to configure only the source IP address, destination port, and transport layer protocol parameters.

    • Outbound security group rules allow you to configure only the destination IP address, destination port, and transport layer protocol parameters.

    In most scenarios, security group rules provide simple configurations, but have the following limits:

    • You cannot specify a range of source ports in an inbound rule. By default, inbound traffic over all ports is allowed.

    • You cannot specify destination IP addresses in an inbound rule. By default, inbound traffic from all IP addresses to a security group is allowed.

    • You cannot specify a range of source ports in an outbound rule. By default, outbound traffic over all ports is allowed.

    • You cannot specify source IP addresses in an outbound rule. By default, outbound traffic from all IP addresses within a security group is allowed.

    Definition

    A quintuple rule includes the following parameters: source IP address, source port, destination IP address, destination port, and transport layer protocol.

    Quintuple rules are fully compatible with existing security group rules. Quintuple rules provide more fine-grained control over the preceding five elements.

    Sample quintuple outbound rule: 

    Source IP address: 172.16.1.0/32
Source port: 22
Destination IP address: 10.0.0.1/32
Destination port: not specified
Transport layer protocol: TCP
Action: Drop

    The sample outbound rule indicates that TCP access from 172.16.1.0/32 to 10.0.0.1/32 over port 22 is denied.

    Scenarios

    • Some platform products use solutions from third-party vendors to provide network services for users. To prevent unauthorized access from these products to ECS instances of the users, quintuple rules are required to control inbound and outbound traffic in a more fine-grained manner.

    • If ECS instances in a security group are configured to be isolated from each other and you want to allow specific ECS instances to communicate with each other, you must configure quintuple rules.

    Configure quintuple rules

    You can call the following API operations to configure quintuple rules:

    Note

    To configure quintuple rules in the ECS console, submit a ticket.

    Parameters

    The following table describes the parameters of security group rules.

    Parameter

    Description in inbound rules

    Description in outbound rules

    SecurityGroupId

    The ID of the security group to which the current inbound rule belongs. This is the ID of the destination security group.

    The ID of the security group to which the current outbound rule belongs. This is the ID of the source security group.

    DestCidrIp

    Optional. The range of destination IP addresses.

    • If DestCidrIp is specified, the inbound rule controls traffic to the specified range of destination IP addresses.

    • If DestCidrIp is not specified, the inbound rule controls traffic to all IP addresses within the security group specified by SecurityGroupId.

    The range of destination IP addresses. You must specify either DestGroupId or DestCidrIp. If you specify both parameters, DestCidrIp takes priority.

    PortRange

    Required. The range of destination ports.

    Required. The range of destination ports.

    DestGroupId

    This parameter cannot be manually specified. The value of DestGroupId must be the same as that of SecurityGroupId.

    The ID of the destination security group. You must specify either DestGroupId or DestCidrIp. If you specify both parameters, DestCidrIp takes priority.

    SourceGroupId

    The ID of the source security group ID. You must specify either SourceGroupId or SourceCidrIp. If you specify both parameters, SourceCidrIp takes priority.

    This parameter cannot be manually specified. The value of SourceGroupId must be the same as that of SecurityGroupId.

    SourceCidrIp

    The range of source IP addresses. You must specify either SourceGroupId or SourceCidrIp. If you specify both parameters, SourceCidrIp takes priority.

    Optional. The range of source IP addresses.

    • If SourceCidrIp is specified, the outbound rule controls traffic from the specified range of source IP addresses.

    • If SourceCidrIp is not specified, the outbound rule controls traffic from all IP addresses within the security group specified by SecurityGroupId.

    SourcePortRange

    Optional. The range of source ports. If this parameter is left empty, no source ports are restricted.

    Optional. The range of source ports. If this parameter is left empty, no source ports are restricted.