Security group rules control inbound and outbound traffic for ECS instances. They are essential for scenarios that involve allowing or denying specific network traffic, blocking unnecessary ports, restricting traffic of specific protocols, and configuring application access privileges. This topic describes how to add, modify, query, delete, and import and export security group rules.
Prerequisites
Before adding security group rules, understand the following:
Inbound rules of a security group control the inbound traffic to ECS instances, and outbound rules control the outbound traffic from ECS instances. Multiple security group rules associated with an ECS instance are sorted based on a fixed policy to collectively determine whether to allow the inbound or outbound traffic of the instance.
For an overview of security group capabilities and usage recommendations, see Security group overview.
In addition to custom security group rules, security groups contain invisible default access control rules that affect traffic allowance or denial. See Basic security groups and enterprise-level security groups.
For the composition and sort policy of security group rules, see Security group rules.
Security group rules have a quantity limit. Keep the rules concise. See Security group limits.
Scenarios
Add inbound security group rules to allow external access when your ECS instance provides services.
Add inbound security group rules to deny access when an ECS instance is under malicious attack.
Determine whether to add outbound security group rules based on the security group type and intra-group communication policy when an ECS instance needs to connect to an external network.
Delete corresponding security group rules when certain outbound or inbound traffic control is no longer needed.
Use the import and export security group rules feature to quickly copy rules to other security groups. See import and export security group rules.
For more scenarios, see Security group application cases.
Add security group rules
Security group inbound and outbound rules include authorization policy, priority, protocol type, port range, and authorization object. Traffic that matches the authorization object, port, and protocol type indicates a match with the security group rule. Based on the priority and authorization policy, it is then determined whether the traffic is allowed access. Otherwise, the traffic is unmatched and follows the security group's fallback policy.
Authorization object: The source address for inbound rule traffic and the destination address for outbound rule traffic. It supports configuring IP addresses (multiple selections available), security groups, and prefix lists.
If the authorization object selects security groups and prefix lists, it means that the access privileges of all IP addresses in the selected security groups and prefix lists are restricted by this security group rule.
For network intercommunication between resources in different security groups, use security group authorization. For internal network access, use source security group authorization instead of CIDR block authorization.
For ECS instances in the classic network type, Alibaba Cloud does not enable any internal network inbound rules by default. For security reasons, it is not recommended to enable any authorization based on CIDR blocks.
Port range: The port that matches the traffic. For information about typical application ports and their corresponding scenarios, see Common ports.
Protocol type: The protocol that matches the traffic.
The TCP protocol is suitable for high-reliability applications such as web browsing, email, remote logon, and file transfer.
The UDP protocol is suitable for applications where speed is more important than accuracy, such as online games and video conferences.
The ICMP protocol is used for transmitting control information between network devices, such as using the ping command, error reporting, and diagnostics.
The GRE protocol is suitable for high-security applications. GRE securely transmits data across different network types, such as IP over IP.
Priority: The priority of matching traffic, with the highest priority being 1.
For rules with different priorities, traffic first matches the rule with the highest priority. If it successfully matches, the action specified by the rule's authorization policy is executed, and it will not match any lower-priority rules.
For rules with the same priority but different authorization policies, the deny policy is matched first, followed by the allow policy.
Authorization policy: The action for matching traffic, which can be either allow or deny.
Confirm that the application corresponding to the port configured in the security group rule is running and that the port listens on 0.0.0.0. For information on checking the current port status, see Check service status and port listening status.
Use the ECS console
Log on to the ECS console.
In the left-side navigation pane, choose .
In the top navigation bar, select the region and resource group to which the resource belongs.
Navigate to the target security group. In the Operation column, click Manage Rules to add inbound and outbound security group rules.
Method 1: Quickly add security group rules
This method is for quickly setting common TCP protocol rules. After clicking Quick Add, you only need to set the Authorization Policy and Authorization Object, and select one or more ports to complete the setup.
If the port range in the quick add dialog box does not include the port you need, you can first select a port to create a rule, and then modify the port range and other settings of this rule. Alternatively, use Method 2: Manually add security group rules to directly set the required ports.
Method 2: Manually add security group rules
Set information such as authorization policy, priority, protocol type, port range, and authorization object. The specific steps are:
Click Manual Add.
In the rule list, configure the newly added security group rule. After configuration, click Operation column Save.
For information on setting a single rule, see Security group rules.
Use the API
For more precise control over ECS instance traffic, use security group 5-tuple rules, which include source IP address, source port, destination IP address, destination port, and protocol type. These rules are fully compatible with existing security group rulesand can be configured through the API. For more information, see Security group 5-tuple rules.
Call AuthorizeSecurityGroup - Add inbound security group rules to add inbound rules.
Call AuthorizeSecurityGroupEgress - Add outbound security group rules to add outbound rules.
Modify security group rules
After modifying security group rules, the new rules take immediate effect on ECS instances within the security group. Monitor network traffic and connection status to ensure the modified rules meet business needs and maintain network security. For more information, see What is CloudMonitor.
Use the ECS console
On the
page, locate the security group you want to modify and click Manage Rules in the Operation column.Find the rule you want to change, click Edit in the Operation column, make your changes, and then click Save.
Use the API
To modify inbound rules, use ModifySecurityGroupRule - Modify inbound security group rules.
To modify outbound rules, use ModifySecurityGroupEgressRule - Modify outbound security group rules.
Query security group rules
The health check function detects redundant rules in security groups, simplifying configurations, reducing management workload, enhancing network management efficiency, and mitigating security vulnerabilities.
Use the ECS console
Method 1: View rules of a single security group
On the
page, locate the security group you want to view and click Manage Rules in the Operation column.Select the direction of the security group rule to view the rules of each category.
NoteUse the search box above the rule list to quickly find security group rules by entering ports or authorization objects.
Method 2: View rules in all security groups joined by an ECS instance
On the
page, find the target instance and click the instance ID to go to the instance product page.On the Security Groups tab, view all security groups joined by the instance.
Click Manage Rules in the Operation column to query the rules of all security groups one by one.
Use the API
To query security group rules, use DescribeSecurityGroupAttribute - Query security group and intra-group rule information.
Delete security group rules
Before deleting security group rules, ensure you understand the potential impacts. Avoid network security issues caused by accidental deletions. If a deleted rule is still needed, recreate a new rule to replace it.
Use the ECS console
On the
page, find the security group you want to modify and click Manage Rules in the Operation column.Locate the rule you want to delete and click Delete in the Operation column.
In the confirmation dialog box, read the prompt information, confirm it is correct, and click Confirm.
Use the API
To delete inbound rules, use RevokeSecurityGroup - Delete inbound security group rules.
To delete outbound rules, use RevokeSecurityGroupEgress - Delete outbound security group rules.
Check for redundant rules in security groups
The health check function of a security group identifies redundant rules within a single security group. For instance, if security group rule A's conditions are entirely contained by rule B, and rule A has a priority less than or equal to rule B, then rule A is considered redundant. Deleting redundant rules prevents reaching the upper limit of security group rules and affecting the use of the security group.
Each security group and each elastic network interface (ENI) on an ECS instance can contain a limited number of security group rules. For information on the usage limits and quotas of security group rules, see Security group limits.
Use the ECS console
On the
page, locate the security group you want to check and click Manage Rules in the Operation column.In the Access Rules area, click .
In the Health Check dialog box, verify if there are redundant rules.
As illustrated below, two redundant rules are present in the security group.
Select the redundant rules, and then click Confirm to delete them.
Import and export security group rules
The ECS console supports the export and import of security group rules, facilitating scenarios such as backup, recovery, and migration of rules.
Before importing security groups, adhere to the following restrictions to avoid import failure:
The priority range for security group rules is 1 to 100. Priorities above 100 must be deleted and recreated after import.
The ECS console supports exporting security group rules as JSON or CSV files.Ensure the file format is correct and follows Alibaba Cloud's naming convention for security group rule files.
It is advisable to import no more than 200 rules at a time to prevent issues.
When importing rules across regions, rules with authorization objects as security groups and prefix lists are not supported.
Use the ECS console
On the
page, find the security group whose rules you want to export and click Manage Rules in the Operation column.In the Access Rules area, select the appropriate operation for management.
Import security group rules
Click , in the Import Security Group Rules dialog box, click Select File, and then choose a local JSON or CSV file. Click Start Import.
If any rules fail to import, hover over the warning icon to view the reason for the failure.
Export security group rules
Click , and select the file format to download and save locally.
JSON Format
An example of the JSON file naming convention is:
ecs_${region_id}_${groupID}.json
Assuming
regionID
iscn-qingdao
andgroupID
issg-123
, the exported JSON file name isecs_cn-qingdao_sg-123.json
.CSV Format
An example of the CSV file naming convention is:
ecs_sgRule_${groupID}_${region_id}_${time}.csv
Assuming
regionID
iscn-qingdao
,groupID
issg-123
, andtime
is2020-01-20
, the exported CSV file name isecs_sgRule_sg-123_cn-qingdao_2020-01-20.csv
.
Security group rules FAQ and best practices
For common questions about security group configuration, rule settings, host punishment and unblocking processes, and resource quota management, see Security FAQ.
For questions about Protocol Type and Port Range, see Common ports, Modify the default remote port of the server.
To add cloud resources (ECS instances, elastic network interfaces) to a new security group, see Management of security groups associated with ECS instances, Management of security groups associated with elastic network interfaces.
If you need to modify the intra-group communication policy of a security group, see Modify the intra-group communication policy of a basic security group.
For best practices and application cases for security group rule configuration, see:
If the server has a firewall enabled and rules are set to block external access, this may cause access failure when remotely accessing the server. For best practices on enabling and disabling the system firewall, see:
For other best practices, see: