Security groups are used to control network access to or from one or more Elastic Compute Service (ECS) instances. Security groups are an important component of security isolation in the cloud. Security group quintuple rules allow you to manage network traffic in a fine-grained manner by controlling the following five elements: source IP address, source port, destination IP address, destination port, and transport layer protocol. This topic describes the definition, scenarios, configuration methods, and parameters of security group quintuple rules.
Background information
Previously, security group rules were designed to support the following configurations:
Inbound security group rules allow you to configure only the source IP address, destination port, and transport layer protocol parameters.
Outbound security group rules allow you to configure only the destination IP address, destination port, and transport layer protocol parameters.
In most scenarios, security group rules provide simple configurations, but have the following limits:
You cannot specify a range of source ports in an inbound rule. By default, inbound traffic over all ports is allowed.
You cannot specify destination IP addresses in an inbound rule. By default, inbound traffic from all IP addresses to a security group is allowed.
You cannot specify a range of source ports in an outbound rule. By default, outbound traffic over all ports is allowed.
You cannot specify source IP addresses in an outbound rule. By default, outbound traffic from all IP addresses within a security group is allowed.
Definition
A quintuple rule includes the following parameters: source IP address, source port, destination IP address, destination port, and transport layer protocol.
Quintuple rules are fully compatible with existing security group rules. Quintuple rules provide more fine-grained control over the preceding five elements.
Sample quintuple outbound rule:
Source IP address: 172.16.1.0/32
Source port: 22
Destination IP address: 10.0.0.1/32
Destination port: not specified
Transport layer protocol: TCP
Action: Drop
The sample outbound rule indicates that TCP access from 172.16.1.0/32
to 10.0.0.1/32
over port 22 is denied.
Scenarios
Some platform products use solutions from third-party vendors to provide network services for users. To prevent unauthorized access from these products to ECS instances of the users, quintuple rules are required to control inbound and outbound traffic in a more fine-grained manner.
If ECS instances in a security group are configured to be isolated from each other and you want to allow specific ECS instances to communicate with each other, you must configure quintuple rules.
Configure quintuple rules
You can call the following API operations to configure quintuple rules:
To configure quintuple rules in the ECS console, submit a ticket.
Parameters
The following table describes the parameters of security group rules.
Parameter | Description in inbound rules | Description in outbound rules |
SecurityGroupId | The ID of the security group to which the current inbound rule belongs. This is the ID of the destination security group. | The ID of the security group to which the current outbound rule belongs. This is the ID of the source security group. |
DestCidrIp | Optional. The range of destination IP addresses.
| The range of destination IP addresses. You must specify either DestGroupId or DestCidrIp. If you specify both parameters, DestCidrIp takes priority. |
PortRange | Required. The range of destination ports. | Required. The range of destination ports. |
DestGroupId | This parameter cannot be manually specified. The value of DestGroupId must be the same as that of SecurityGroupId. | The ID of the destination security group. You must specify either DestGroupId or DestCidrIp. If you specify both parameters, DestCidrIp takes priority. |
SourceGroupId | The ID of the source security group ID. You must specify either SourceGroupId or SourceCidrIp. If you specify both parameters, SourceCidrIp takes priority. | This parameter cannot be manually specified. The value of SourceGroupId must be the same as that of SecurityGroupId. |
SourceCidrIp | The range of source IP addresses. You must specify either SourceGroupId or SourceCidrIp. If you specify both parameters, SourceCidrIp takes priority. | Optional. The range of source IP addresses.
|
SourcePortRange | Optional. The range of source ports. If this parameter is left empty, no source ports are restricted. | Optional. The range of source ports. If this parameter is left empty, no source ports are restricted. |