All Products
Document Center

Elastic Compute Service:Add a security group rule

Last Updated:May 14, 2024

You can add rules to a security group to control inbound and outbound traffic for Elastic Compute Service (ECS) instances in the security group. You can use security group rules in various scenarios, such as to allow or deny specific network traffic, close ports, restrict traffic of specific protocols, and configure access permissions on applications. This topic describes how to add a security group rule in the ECS console.

Background information

Alibaba Cloud provides examples on how to configure security group rules in common scenarios. For more information, see Security groups for different use cases.

This topic is suitable for the following scenarios:

  • When an application deployed on your ECS instance initiates a request to a network external to the security groups of the instance and the request remains in the waiting state, you must add a security group rule to allow the request.

  • When applications that are running on ECS instances suffer attacks from some request sources, you can add security group rules to deny access from the request sources.

Before you add security group rules, take note of the following items:

  • Before you add rules to a basic or advanced security group, take note that the security group contains default rules. For more information, see Basic security groups and advanced security groups.

  • A security group can contain only a limited number of rules. We recommend that you add the minimum number of rules. For more information, see Security group rules.


  1. Go to the security group list page.

    1. Log on to the ECS console.

    2. In the left-side navigation pane, choose Network & Security > Security Groups.

    3. In the upper-left corner of the top navigation bar, select a region.

  2. Find the security group to which you want to add a rule and click Manage Rules in the Operation column.

  3. Select a direction of security group rules.

    • If the security group resides in a virtual private cloud (VPC), click the Inbound or Outbound tab.

    • If the security group resides in the classic network, click the Inbound, Outbound, Internet Ingress, or Internet Egress tab.

  4. Add a security group rule.

    • Method 1: Quickly add a security group rule

      This method is suitable for configuring common TCP rules. Click Quick Add. In the Quick Add dialog box, configure Action and Authorization Object and select one or more ports.

    • Method 2: Manually add a security group rule

      Configure parameters such as Action, Priority, Protocol Type, Port Range, and Authorization Object to add a security group rule. Perform the following steps:

      1. Click Add Rule.

      2. Configure the rule that you want to add to the rule list. For information about how to configure a security group rule, Security group rules.

      3. Click Save in the Actions column.



You can call the following API operations to add security group rules: