All Products
Search

This Product

    Cloud Monitor:Use security groups with Managed Service for Prometheus

    Document Center

    Cloud Monitor:Use security groups with Managed Service for Prometheus

    Last Updated:Dec 12, 2025

    Cloud Monitor's Managed Service for Prometheus uses managed agents to collect metrics from your container clusters and Virtual Private Cloud (VPC). Configure the security group rules for your data sources to allow access from the managed agents.

    Guidelines

    1. Managed Service for Prometheus of Application Real-Time Monitoring Service (ARMS) is now part of Cloud Monitor 2.0. It requires managed agents for container clusters, such as Container Compute Service (ACS), Container Service for Kubernetes Serverless (ASK), and ACK One clusters, or clusters with Container Monitoring Pro enabled. By default, the managed agents use the security groups of container clusters and add the following inbound and outbound rules:

      • CIDR block: 100.64.0.0/10, Port: all. This rule allows the Managed Service for Prometheus control plane to communicate with the agents. Rule description: Prometheus for VPC (ISP Permission).

      • The primary and secondary CIDR blocks of the associated VPC, Port: all. This rule allows managed agents to collect metrics from all configured IP addresses and ports within the VPC. Rule description: Prometheus for VPC (VPC Permission). This rule is consistent with the creation rules for the default security group of Container Service for Kubernetes (ACK).

    2. For managed agents that collect metrics from Elastic Compute Service (ECS) hosts and middleware, Managed Service for Prometheus creates a new security group by default. The naming convention for the security group is alicloud-arms-auto-created-security-group-{VpcID}.

    3. CloudLens for Container of Cloud Monitor 2.0 installs managed agents on both existing and new container clusters. The initial security group configuration was the same as that of ARMS Managed Service for Prometheus. Starting in November 2025, the service creates a separate security group instead of reusing the default security group of the container clusters. The naming convention is alicloud-arms-auto-created-security-group-{VpcID}. The rule is also updated to narrow down the open port range to 80-65533 and restrict the protocol to TCP.

      Note

      Note the following about these security groups:

      • Do not reuse the security groups named alicloud-arms-auto-created-security-group-{VpcID} for your services. These security groups are created by Cloud Monitor, and their rules are fully managed by Managed Service for Prometheus.

      • If you reuse a container cluster's security groups, modify any product-injected rules that do not meet your corporate requirements. Create separate security group rules to manage network access between your services. Do not reuse the rules created by the service. This practice prevents your services from being exposed to network threats if the product-injected rules are revoked.