Add a security group rule - Elastic Compute Service - Alibaba Cloud Documentation Center

You can add rules to a security group to control inbound and outbound traffic for Elastic Compute Service (ECS) instances in the security group.

Background information

Alibaba Cloud provides examples on how to configure security group rules in common scenarios. For more information, see Security groups for different use cases.

This topic is suitable for the following scenarios:

When an application deployed on your instance initiates a request to a network external to the security groups of the instance but the request remains in the waiting state, you must add a security group rule to allow the request.
When running applications suffer attacks from some of the request sources, you can add security group rules to block the malicious requests.

Before you add security group rules, take note of the following items:

Before you add rules to a basic or advanced security group, take note that the security group contains default rules. For more information, see Basic security groups and advanced security groups.
A security group can contain only a limited number of rules. We recommend that you add the minimum number of rules. For more information, see Overview.

Procedure

Go to the Security Groups page.
1. Log on to the ECS console.
2. In the left-side navigation pane, choose Network & Security > Security Groups.
3. In the top navigation bar, select a region.
Find the security group to which you want to add a rule and click Add Rules in the Actions column.
Select a direction of security group rules.
- If the network type of the security group is Virtual Private Cloud (VPC), click the Inbound or Outbound tab.
- If the network type of the security group is classic network, click the Inbound, Outbound, Internet Ingress, or Internet Egress tab.
Add a security group rule.
- Method 1: Quickly add a security group rule
  This method is suitable for configuring common TCP rules. Click Quick Add. In the Quick Add dialog box, set Action and Authorization Object and select one or more ports.
- Method 2: Manually add a security group rule
  To manually add a security group rule, you must set parameters such as Action, Priority, Protocol Type, Port Range, and Authorization Object.
  1. Click Add Rule.
  2. Configure the rule that you want to add to the rule list. For information about how to configure a single security group rule, see Overview.
  3. Click Save in the Actions column.

FAQ

For information about the Protocol Type and Port Range parameters, see Common ports and What is the relationship between protocol types and port ranges in security group rules?
For information about the reasons due to which services on instances cannot be accessed after the instances are added to security groups, see Why am I unable to access services after I configure a security group?
For information about the reasons due to which TCP port 80 and TCP port 25 cannot be accessed, see Why am I unable to access TCP port 80? and Why am I unable to access TCP port 25?
For more information about security group rules, see Security FAQ.

References

For information about how to add an inbound security group rule by calling an API operation, see AuthorizeSecurityGroup.
For information about how to add an outbound security group rule by calling an API operation, see AuthorizeSecurityGroupEgress.