When you associate a security group with an Elastic Compute Service (ECS) instance, you associate the security group with the primary elastic network interface (ENI) of the instance. After you associate a security group with the ECS instance, the inbound and outbound traffic of the instance is managed by the rules in the security group. You can change the association between the ECS instance and security groups based on your business requirements. This topic describes how to add an instance to a security group, remove an instance from a security group, and replace the security groups of an instance.
Limits
An ECS instance must be associated with at least one security group. The number of security groups that can be associated with an ECS instance is limited. For more information, see the Security groups section of the "Limits" topic.
An ECS instance and the security groups to which you want to add the instance must use the same network type. If the ECS instance and the security groups all use the Virtual Private Cloud (VPC) network type, they must belong to the same VPC.
Security groups are classified into basic and advanced security groups. Each ECS instance can be added to multiple security groups only of the same type. For more information, see Basic security groups and advanced security groups.
Add an ECS instance to or remove an ECS instance from security groups or replace the security groups of an ECS instance
If the security groups of an ECS instance do not meet your business requirements, you can add the instance to or remove the instance from specific security groups or replace the security groups of the instance.
Manage the security groups of an existing ECS instance
Go to ECS console - Instance.
In the top navigation bar, select the region and resource group of the resource that you want to manage.
On the Instance page, add ECS instances to security groups, remove instances from security groups, or replace security groups for ECS instances based on your business requirements.
If an ECS instance is associated with only one security group, the removal operation cannot be performed because an ECS instance must be associated with at least one security group.
To change a security group for the ECS instance, find the ECS instance whose security group you want to manage and click the instance ID. On the instance details page, click All Actions in the upper-right corner and search for and click Change Security Groups. In the Change Security Groups dialog box, change the security groups for the ECS instance.
To add the ECS instance to a security group, select a security group that is not associated with the instance from the Security Group drop-down list and click Confirm.
To remove the ECS instance from a security group, delete the security group from the Security Group field and click Confirm.
Add an ECS instance to security groups when you create the instance
When you create an ECS instance in the ECS console, you can add the instance to one or more security groups. If no security groups are available, the system creates a default security group. In this case, you can select the IPv4 ports and protocols that you want to open in the default security group based on your business requirements. For information about how to create an ECS instance, see Create an instance on the Custom Launch tab.
The following section describes the attributes of each default security group.
Security group type: basic security group.
Network type: same as the network type of the created ECS instance.
Default security group rules:
The security group rules have a priority of 100.
NoteThe default security group rules that were created before May 27, 2020 have a priority of 110.
Rule description:
Outbound: By default, all outbound access is allowed. All outbound traffic from ECS instances in the default security group is allowed.
Inbound: By default, only inbound ICMP access and inbound access on port 22 and port 3389 are allowed. You can specify whether to allow inbound access on HTTP port 80 and HTTPS port 443. If you use ECS instances to build websites, you must allow inbound access on HTTP port 80 and HTTPS port 443.
If a security group is displayed on the Security Groups page in the ECS console and has a description similar to System created security group, the security group is a default security group.
You can add or modify security group rules in addition to the default security group rules to control inbound and outbound traffic and manage the association between the default security group and instances and elastic network interfaces (ENIs) in a more fine-grained manner.
If the default security group rules do not meet your business requirements, you can create a custom security group, configure new security group rules, and then associate the rules with ECS instances or ENIs. For more information, see Create a security group.
Add ECS instances to or remove ECS instances from a security group
You can add instances to or remove instances from a specific security group based on your business requirements.
In the top navigation bar, select the region and resource group of the resource that you want to manage.
Find the security group that you want to manage and choose
> Manage Instances in the Operation column.
On the ECS Instances tab of the Instances tab, add ECS instances to or remove ECS instances from the security group based on your business requirements.
Add instances to the security group. Click Add Instance to Security Group. In the Add Instance to Security Group dialog box, enter the one or more IDs or names of the instances in the Instance field, select the instances, and click Confirm.
Remove instances from the security group. Select one or more instances and click Remove from Security Group in the lower part of the Instances tab. In the Remove from Security Group message, click OK.
Query instances associated with a security group
In the top navigation bar, select the region and resource group of the resource that you want to manage.
On the Security Groups page, find the security group that you want to query and choose
> Manage Instances in the Operation column.
On the ECS Instances and Elastic Container Instances tabs of the Instances tab, view all instances that are associated with the security group.