All Products
Search

This Product

    Elastic Compute Service:Security group rule check

    Document Center

    Elastic Compute Service:Security group rule check

    Last Updated:Jan 27, 2026

    Incorrectly configured security group rules for an Elastic Compute Service (ECS) instance can cause remote connection failures and make services inaccessible. Overly permissive rules can also introduce security risks. You can use the security group rule check feature to quickly diagnose whether your port access policies work as expected.

    Procedure

    1. Go to the ECS Console - Self-service Troubleshooting page. At the top of the page, select the resource group and region where your target resource is located.地域

    2. On the Self-service Troubleshooting page, on the Security Group Rule Diagnosis tab, click Initiate Diagnosis.

    3. From the Instance to be checked and Network Interface to be checked drop-down lists, select the target resource to diagnose.

    4. Select a Detection Method and run the check.

      • One-Click Detection: Checks whether the security group rules allow traffic on common ECS ports.

        Click Start Detection. The system automatically checks the inbound rules for the following common ports and protocols:

        • 22: For remote connections to Linux instances using the Secure Shell (SSH) service.

        • 3389: For remote connections to Windows instances using the Remote Desktop Protocol (RDP) service.

        • 80, 443, 8080: For providing external web services.

        • ICMP: To support the ping command, which uses the Internet Control Message Protocol (ICMP) to test network reachability.

      • Custom Detection: Checks whether the security group rules allow one-way access from a specific IP address to the ECS network interface controller (NIC).

        Configure the parameters based on your requirements. The following example shows how to check an inbound rule from the Internet:

        • Rule Direction: Select Inbound Internet Direction.

        • Source Address: Enter the source public IP address.

        • Destination Port: Enter the port number to check.

        • Protocol Type: Select the protocol.

        Click Start Detection.

    • View the check results and take action as needed.

      After the check is complete, the system displays the result of each check item.

      • If the result is Opened: The security group rule allows the specified traffic. If the service is still unavailable, check other factors, such as the instance's internal firewall and service listener status.

      • If the result is Not Opened: The security group rule blocks the specified traffic. Click Open Port to quickly add an allow rule.

        Important

        For rules automatically added using the Open Port feature, the source address might be set to 0.0.0.0/0 by default. This setting allows access from any IP address. To secure your server, follow the Principle of Least Privilege (PoLP). For remote management ports, such as 22 and 3389, manually modify security group rules. Set the source to a specific IP address or address range to avoid exposing the port to the Internet. This helps prevent brute-force attacks and unauthorized access.

      • If the result is Cannot Open: The security group rule does not allow the specified traffic. Click Check Details to view more information and manually adjust the rules.