Create a security group for an ECS instance and add inbound and outbound rules to the security group - Elastic Compute Service

A security group acts as a virtual firewall that controls inbound and outbound traffic for Elastic Compute Service (ECS) instances. Each ECS instance must be added to at least one security group. This topic describes how to create a custom security group in the ECS console.

Considerations

A virtual private cloud (VPC) is created. To create a security group of the VPC type, this requirement must be met. For more information, see Create and manage a VPC.
If you do not create a security group when you create an ECS instance, a default security group is automatically created. If you want to add an ECS instance to a custom security group, perform the following steps to create the security group.
ECS imposes limits on the maximum number of security groups that can be created in a single region. To view the limit, go to the Quota Center console. You can apply to increase the limit based on your business requirements. For more information, see Manage quotas.

For more information about security groups, see Overview.

Procedure

Go to the security group list page.
1. Log on to the ECS console.
2. In the left-side navigation pane, choose Network & Security > Security Groups.
3. In the upper-left corner of the top navigation bar, select a region.
Click Create Security Group.
In the Basic Information section, configure the basic information of the security group.
1. Configure the security group parameters for easy identification of the security group that you want to create. The parameters include the security group name, description, resource group, and tags.
2. Specify a network. You can select the classic network or a VPC. For more information, see Network types.
3. Specify the type of security group. You can select the basic or advanced security group type. For more information, see Basic security groups and advanced security groups.
In the Access Rule section, configure security group rules.
By default, basic security group rules are configured in the security group. To add custom security group rules, perform the following steps. For more information, see Add a security group rule.
1. Click the Inbound or Outbound tab based on the direction of the security group rules that you want to add.
2. Click Add Rule.
3. Configure custom security group rules. For more information about security group rules, see Security group rules.
Click Create Security Group.
After you create the security group, you can view the security group on the security group list page. For more information, see Search for security groups.

References

You can create a security group by calling an API operation. For more information, see CreateSecurityGroup.
You can add security group rules to a security group to control inbound and outbound traffic for ECS instances that belong to the security group. For more information, see Add a security group rule.
Each ECS instance must belong to at least one security group. You can add an ECS instance to one or more security groups. For more information, see Manage ECS instances in security groups and Manage ENIs in security groups.
For information about how to troubleshoot the issue that an ECS instance cannot be accessed after the instance is added to a security group, see the Why am I unable to access services after I configure a security group? section in the "Security FAQ" topic.