All Products
Search
Document Center

Elastic Compute Service:Modify the internal access control policy of a security group

Last Updated:Oct 20, 2023

You can modify the internal access control policy of a basic security group in the Elastic Compute Service (ECS) console.

Background information

  • If the Internal Access Control Policy parameter of a basic security group is set to Allow, the security group uses the internal interconnectivity policy and all ECS instances in the security group can communicate with each other over the internal network, regardless of whether custom rules are configured in the security group.

  • If the Internal Access Control Policy parameter of a basic security group is set to Deny and the security group contains no custom rules, the security group uses the internal isolation policy and all ECS instances in the security group cannot communicate with each other over the internal network.

  • By default, advanced security groups support the internal isolation policy, and ECS instances in each advanced security group are isolated from each other. The settings cannot be modified.

  • The internal isolation policy isolates elastic network interfaces (ENIs), instead of ECS instances. If multiple ENIs are bound to an ECS instance, you must configure the internal isolation policy for the security groups to which each ENI belongs.

  • Instances in the same security group can still communicate with each other in the following cases, regardless of the internal isolation policy:

    • The instances share multiple security groups, and the internal isolation policy is not configured for at least one of these security groups.

    • An access control list (ACL) is configured to allow mutual access between instances within the security group.

For more information, see Basic security groups and advanced security groups.

Procedure

  1. Log on to the ECS console.

  2. In the left-side navigation pane, choose Network & Security > Security Groups.

  3. In the upper-left corner of the top navigation bar, select a region. 地域

  4. On the Security Groups page, find the security group whose internal access control policy you want to modify and click the security group ID.

  5. In the Basic Information section, set Internal Access Control Policy to Allow or Deny.

  6. In the Modify Internal Access Control Policy message, click OK.

Case study

In this example, Group1 and Group2 are basic security groups. ECS1, ECS2, and ECS3 are ECS instances. The following figure shows the relationships between the instances and the security groups.

image.png
  • Group1 contains ECS1 and ECS2, and has the internal isolation policy configured.

  • Group2 contains ECS2 and ECS3, and has the default internal interconnectivity policy configured.

The following table describes whether the instances can communicate with each other.

Instance

Isolated

Description

ECS1 and ECS2

Yes

ECS1 and ECS2 belong to Group1. Group1 has the internal isolation policy configured. ECS1 and ECS2 are isolated from each other.

ECS2 and ECS3

No

ECS2 and ECS3 belong to Group2. Group2 uses the default internal interconnectivity policy. ECS2 and ECS3 can communicate with each other.

ECS1 and ECS3

Yes

ECS1 and ECS3 belong to different security groups. By default, instances in different security groups are isolated from each other. ECS1 and ECS3 cannot communicate with each other.

References

For information about how to modify the internal access control policy of a basic security group by calling an API operation, see ModifySecurityGroupPolicy.