You can use Alibaba Cloud CLI to call operations within Elastic Compute Service (ECS) instances to configure security group rules to establish internal network communication between ECS instances. This helps meet your business requirements in scenarios such as building internal websites or applications, and deploying database clusters or application systems. This topic describes how to use Alibaba Cloud CLI to call operations to establish internal network communication between ECS instances.
Usage notes
Security groups are virtual firewalls for ECS instances. Security groups do not provide communication and networking capabilities. If instances in different security groups can communicate with each other over the internal network, make sure that the instances can establish interconnectivity over the internal network.
If all instances are of the classic network type, the instances must be in the same region.
If all instances are of the VPC type, instances in different VPCs cannot communicate over the internal network. We recommend that you allow ECS instances to communicate over a public network or by using Express Connect, VPN Gateway, or Cloud Enterprise Network (CEN). For more information, see What is Express Connect?, What is VPN Gateway?, and What is CEN?
If instances are of different network types, establish a ClassicLink connection to allow communication between the instances. For more information, see Connect an instance in a classic network to a VPC.
If instances reside in different regions, we recommend that you allow ECS instances to communicate over a public network or by using Express Connect, VPN Gateway, or CEN. For more information, see What is Express Connect?, What is VPN Gateway?, and What is CEN?
Make sure that the ECS instances meet the following requirements:
After Alibaba Cloud CLI is installed on the ECS instances, make sure that the required credentials, regions, and language settings to access Alibaba Cloud resources are configured. For more information, see Overview.
Establish internal network communication within an Alibaba Cloud account
Query the internal IP addresses and security group IDs of two ECS instances.
You can obtain the security group IDs of the instances in the console or by calling the DescribeInstances operation. The following table provides information about the two ECS instances. The information is only for reference.
Instance
IP address (internal network)
Security group
Security group ID
Instance A
10.0.0.1
sg1
sg-bp1azkttqpldxgte****
Instance B
10.0.0.2
sg2
sg-bp15ed6xe1yxeycg****
Connect to an ECS instance.
For more information, see Connection method overview.
Run the following command to add an inbound rule to the
sg1
security group to allow traffic from10.0.0.2
:aliyun ecs AuthorizeSecurityGroup --SecurityGroupId sg-bp1azkttqpldxgte**** --RegionId cn-qingdao --IpProtocol all --PortRange=-1/-1 --SourceCidrIp 10.0.0.2 --NicType intranet
Run the following command to add an inbound rule to the
sg2
security group to allow traffic from10.0.0.1
:aliyun ecs AuthorizeSecurityGroup --SecurityGroupId sg-bp15ed6xe1yxeycg**** --RegionId cn-qingdao --IpProtocol all --PortRange=-1/-1 --SourceCidrIp 10.0.0.1 --NicType intranet
NoteIn the preceding commands, the cn-qingdao region ID is for reference only. Replace it with your actual region ID.
In the preceding commands, the AuthorizeSecurityGroup operation is called to add inbound Allow rules to security groups. Configure the SecurityGroupId and SourceCidrIp parameters.
After a few minutes, run the
ping
command to check whether the two ECS instances can communicate with each other over the internal network.
Establish internal network communication across Alibaba Cloud accounts
Communication over the internal network across Alibaba Cloud accounts requires an authorization between security groups. ECS instances in two security groups can be authorized to communicate over the internal network. If you modify the configurations of a security group, all instances in the security group and the services running on the instances are affected. Proceed with caution.
Query the names of two Alibaba Cloud accounts and the IDs of two security groups within the two accounts.
You can obtain the IDs of the security groups of the instances in the console or by calling the DescribeInstances operation. The following table provides information about the two Alibaba Cloud accounts. The information is only for reference.
Alibaba Cloud account
Alibaba Cloud Account ID
Security group
Security group ID
Alibaba Cloud Account A
testA****@aliyun.com
sg1
sg-bp1azkttqpldxgte****
Alibaba Cloud Account B
testB****@aliyun.com
sg2
sg-bp15ed6xe1yxeycg****
Connect to an ECS instance.
For more information, see Connection method overview.
Run the following command to add an inbound rule to the
sg1
security group to allow traffic from thesg2
security group:aliyun ecs AuthorizeSecurityGroup --SecurityGroupId sg-bp1azkttqpldxgte**** --RegionId cn-qingdao --IpProtocol all --PortRange=-1/-1 --SourceGroupId sg-bp15ed6xe1yxeycg7XXX --SourceGroupOwnerAccount b@aliyun.com --NicType intranet
Run the following command to add an inbound rule to the
sg2
security group to allow traffic from thesg1
security group:aliyun ecs AuthorizeSecurityGroup --SecurityGroupId sg-bp15ed6xe1yxeycg**** --RegionId cn-qingdao --IpProtocol all --PortRange=-1/-1 --SourceGroupId sg-bp1azkttqpldxgtedXXX --SourceGroupOwnerAccount a@aliyun.com --NicType intranet
NoteIn the preceding commands, the cn-qingdao region ID is only for reference. Replace it with your actual region ID.
In the preceding commands, the AuthorizeSecurityGroup operation is called to add inbound Allow rules to security groups. Configure the SecurityGroupId, SourceGroupId, and SourceGroupOwnerAccount parameters.
After a few minutes, run the
ping
command to check whether the ECS instances can communicate with each other over the internal network.