All Products
Search
Document Center

Cloud Storage Gateway:Restrict client IP access to a share

Last Updated:Jun 20, 2026

NFS share

Use the Read/write Clients and Read-only Clients lists to control client access to an NFS share. If these lists are empty, any client on the network can mount the share. For configuration steps, see Share Settings.

SMB share

Use a security group to control client access to an SMB share. A security group acts as a virtual firewall that controls inbound and outbound traffic for an ECS instance.

The gateway automatically configures port 445 for SMB traffic. The default rule allows access from the following private CIDR blocks:

Action

Protocol type

Port range

Authorization object

Allow

Custom TCP

445

10.0.0.0/8

172.0.0.0/8

192.0.0.0/8

To restrict access from specific IP addresses or CIDR blocks, you can add a custom inbound rule to the security group. Lower priority values have higher precedence (1 is the highest). When multiple rules match an IP address, the rule with the highest priority is applied.

For more information about security groups, see Security group overview.

Add an inbound rule to restrict SMB access

Important
  • Do not modify the default security group rule for the SMB (445) port.

  • The security group rules for the SMB (445) port apply to all SMB shares on the gateway.

  1. Go to the Security Groups page on the ECS console.

  2. In the upper-left corner of the page, select the resource group and region that contain your target resource.

  3. In the search box, enter the gateway ID to find the corresponding security group.

    The name of the security group starts with sg-Cloud_Storage_Gateway_, and its type is basic security group.

  4. Click the security group ID to go to the Security Group Details page. On the Inbound.

  5. Configure a custom security group rule. The following example denies access from 192.168.0.0/24:

    Direction

    Action

    Priority

    Protocol type

    Port range

    Authorization object

    Inbound

    Deny

    1

    Custom TCP

    445/445

    192.168.0.0/24

    Note
    • To deny access from specific IP addresses or CIDR blocks, set Action to Deny.

    • To allow access from specific IP addresses or CIDR blocks, set Action to Allow.

    For more information, see Security group rules.