All Products
Search

This Product

    Elastic Compute Service:Security group rule check

    Document Center

    Elastic Compute Service:Security group rule check

    Last Updated:Jan 21, 2026

    Incorrectly configured security group rules for an ECS instance can cause remote connection failures and make services inaccessible. Overly permissive rules can also introduce security risks. You can use the security group rule check feature to quickly diagnose whether your port access policies work as expected.

    Procedure

    1. Go to the ECS Console - Self-service Troubleshooting page. At the top of the page, select the resource group and region where your target resource is located.地域

    2. On the Self-service Troubleshooting page, on the Security Group Rule Diagnosis tab, click Start Diagnosis.

    3. From the Instance to Check and NIC to Check drop-down lists, select the target resource to diagnose.

    4. Select a Check Method and run the check.

      • One-click Check: Checks whether the security group rules allow traffic on common ECS ports.

        Click Start Check. The system automatically checks the inbound rules for the following common ports and protocols:

        • 22: For remote connections to Linux instances using the Secure Shell (SSH) service.

        • 3389: For remote connections to Windows instances using the Remote Desktop Protocol (RDP) service.

        • 80, 443, 8080: For providing external web services.

        • ICMP: To support the ping command, which uses the Internet Control Message Protocol (ICMP) to test network reachability.

      • Custom Check: Checks whether the security group rules allow one-way access from a specific IP address to the ECS network interface controller (NIC).

        Configure the parameters based on your requirements. The following example shows how to check an inbound rule from the Internet:

        • Rule Direction: Select Inbound from Internet.

        • Source Address: Enter the source public IP address.

        • Destination Port: Enter the port number to check.

        • Protocol Type: Select the protocol.

        Click Start Check.

    • View the check results and take action as needed.

      After the check is complete, the system displays the result of each check item.

      • If the result is Allowed: The security group rule allows the specified traffic. If the service is still unavailable, check other factors, such as the instance's internal firewall and service listener status.

      • If the result is Blocked: The security group rule blocks the specified traffic. Click Open Port to quickly add an allow rule.

        Important

        For rules automatically added using the Open Port feature, the source address might be set to 0.0.0.0/0 by default. This setting allows access from any IP address. To secure your server, follow the Principle of Least Privilege (PoLP). For remote management ports, such as 22 and 3389, manually modify security group rules. Set the source to a specific IP address or address range to avoid exposing the port to the Internet. This helps prevent brute-force attacks and unauthorized access.

      • If the result is Cannot be allowed: The security group rule does not allow the specified traffic. Click Details to view more information and manually adjust the rules.