All Products
Search
Document Center

Elastic Compute Service:Security FAQ

Last Updated:May 08, 2024

This topic provides answers to some frequently asked questions about the security of Elastic Compute Service (ECS) instances, including questions about security groups, security group rules, host penalty and unblocking, and resource quota management.

What is a security group?

A security group is a virtual firewall that controls inbound and outbound traffic for one or more ECS instances. You can use security groups to divide security domains in the cloud.

Each ECS instance must belong to at least one security group. When you create an ECS instance, you must specify a security group for the instance. Security groups are classified into basic and advanced security groups. For more information, see Overview of security groups.

Why must I select a security group when I create an ECS instance?

Before you create ECS instances, you must use security groups to divide your application environment into security domains and configure security group rules to control access to the security domains.

If you do not select a security group when you create an ECS instance, the instance is automatically assigned to the default security group. We recommend that you move the instance from the default security group to a security group that you created.

I did not create security groups. Can I still create an ECS instance?

Yes, you can create an ECS instance if you did not create security groups. If you have not created security groups when you create an ECS instance, the instance is automatically assigned to the default security group. The default security group allows traffic on common ports such as TCP port 22 and RDP port 3389.

Why do I receive a message indicating that the maximum number of security group rules has been reached when I add an ECS instance to a security group?

You can use the following formula to calculate the maximum number of security group rules that can be associated with an ECS instance (the maximum number of security group rules that can be associated with the primary ENI of the instance): Maximum number of security groups to which the instance can belong × Maximum number of security group rules in each security group.

If you receive the following error message, the maximum number of security group rules that can be associated with the instance is reached: The operation cannot be performed because the maximum number of security group rules that can take effect on the instance is reached. We recommend that you select another security group.

If I adjust the maximum number of security groups to which an ECS instance of the VPC type can belong, does the adjustment take effect only on security groups that are subsequently created?

No, the adjustment takes effect on all security groups to which ECS instances of the VPC type belong, regardless of when the security groups are created.

In what scenarios can the default security group rules be used?

The default security group rules can be used in the following scenarios:

  • If you have not created a security group the first time you create an ECS instance in a region in the ECS console, you can select the system-created default security group. The default security group is a basic security group. The default security group contains default security group rules. The default security group rules are inbound rules that have a priority of 100 and grant access to all CIDR blocks (0.0.0.0/0). The rules allow inbound Internet Control Message Protocol (ICMP) traffic on all ports and inbound TCP traffic on SSH port 22 and Remote Desktop Protocol (RDP) port 3389. You can also choose to allow inbound traffic on HTTP port 80 and HTTPS port 443. All outbound traffic is allowed.

  • When you create a security group in the ECS console, the system creates default security group rules in the security group. The default security group rules are inbound rules that grant access to all CIDR blocks (0.0.0.0/0). The rules allow inbound ICMP traffic on all ports, and inbound TCP traffic on SSH port 22, RDP port 3389, HTTP port 80, and HTTPS port 443.

How do ECS instances in different security groups communicate with each other over the internal network?

By default, ECS instances in different security groups in the same account or different accounts are isolated from each other over the internal network. For information about the use cases in which instances in different security groups can communicate with each other over the internal network, see the Security group rules for instances within different security groups to communicate with each other section of the "Security groups for different use cases" topic and Best practices for configuring internal network-based interconnection between instances that belong to different security groups in the classic network.

How do I isolate ECS instances in the same security group over the internal network?

By default, ECS instances in the same basic security group can communicate with each other over all protocols and ports. You can modify the internal access control policies of basic security groups to isolate ECS instances in the security groups. For more information, see Network isolation within a basic security group.

How do I isolate the traffic of two ENIs on the same ECS instance?

If two ENIs are bound to an ECS instance, you cannot use security groups to isolate the traffic of the ENIs. Security groups work on virtual network devices but do not work on ECS instance operating systems. By default, the traffic of two ENIs on the same ECS instance is routed and forwarded in the instance operating system and is not controlled by security groups. As a result, you cannot use security groups to isolate the traffic of the ENIs.

You can use the namespace mechanism of the operating system to add each ENI to a separate namespace. This way, the traffic of the ENIs is forwarded from the instance operating system and passes through security groups, and you can use security groups to isolate the traffic of the ENIs.

Why am I unable to access services after I configure a security group?

When traffic on a port is allowed by a security group rule in the ECS console, access to and from the port is not restricted. However, this does not indicate that the port is enabled. To allow Internet access to a port of an ECS instance, make sure that the following requirements are met:

  • Traffic on the port is allowed by a security group rule.

  • Software that listens on the port is in the running state and has a listening address of 0.0.0.0. You can run the netstat -ano |findstr <Port number> command to check whether the port is in the listening state.

  • The internal firewall of the ECS instance is disabled, or traffic on the port is allowed by the firewall.

How do I add an ENI to security groups?

You can remove an ENI from security groups and then add the ENI to other security groups by changing the security groups of the ENI. You can change the security groups of a primary ENI by changing the security groups of the ECS instance to which the ENI is bound. You can change the security groups to which a secondary ENI belongs by modifying the attributes of the ENI. For more information, see Modify the attributes of an ENI.

Can I convert a basic security group into an advanced security group or convert an advanced security group into a basic security group?

No, you cannot convert a basic security group into an advanced security group or convert an advanced security group into a basic security group. If you want to convert a security group from the current type to the other type, you can create a security group of the other type and clone the security group rules from the existing security group to the new security group. For more information, see Create a security group, Export and import security group rules, Manage ECS instances in security groups, and Manage ENIs in security groups.

In what scenarios must I add security group rules?

You must add security group rules in the following scenarios to ensure that your ECS instance can be accessed:

  • The security group to which your ECS instance belongs does not contain custom or default security group rules. Your ECS instance needs to access the Internet or another ECS instance in a different security group in the same region.

  • The application deployed on your ECS instance uses a specific port or port range instead of the default port. In this case, you must allow access on the specified port or port range before you check whether the application is connected. For example, you deployed NGINX and want to specify TCP port 8000 as the listening port, but your security group allows only port 80. You must add a security group rule to ensure that NGINX can be accessed.

  • For information about other scenarios, see Security groups for different use cases.

What is the relationship between the protocol types and port ranges in security group rules?

You must specify a communication port or port range when you add security group rules to a security group. The security group can determine whether to allow traffic destined for ECS instances based on the Allow or Deny rules.

The following table describes the relationship between the protocol types and port ranges in security group rules. For more information about common ports, see Common ports.

Protocol

Port range

Scenario

All

-1/-1 is displayed, which indicates all ports. You cannot configure a port range for this protocol type.

You can use this protocol type in all trusted scenarios.

All ICMP (IPv4)

-1/-1 is displayed, which indicates all ports. You cannot configure a port range for this protocol type.

You can use this protocol type when you run the ping command to check the status of network connections between ECS instances.

All GRE

-1/-1 is displayed, which indicates all ports. You cannot configure a port range for this protocol type.

You can use this protocol type for VPN.

Custom TCP

A custom port range. Valid values of port numbers: 1 to 65535.

Specify a port range or a single port in the <Start port>/<End port> format. For example, 80/80 indicates port 80 and 1/22 indicates ports 1 to 22.

You can use this protocol type to allow or deny traffic on a single port or a range of ports.

Custom UDP

A custom port range. Valid values of port numbers: 1 to 65535.

Specify a port range or a single port in the <Start port>/<End port> format. For example, 80/80 indicates port 80 and 1/22 indicates ports 1 to 22.

You can use this protocol type to allow or deny traffic on a single port or a range of ports.

The following table describes the common scenarios in which TCP ports are used.

Scenario

Protocol

Port range

Description

Connection to a server

SSH

22/22

This TCP port can be used to connect to a Linux ECS instance over SSH. After you connect to the instance, you can change the port number. For more information, see Change the default port used by an instance to accept connections.

TELNET

23/23

This TCP port can be used to connect to an ECS instance over Telnet.

RDP

3389/3389

This TCP port can be used to connect to a Windows ECS instance over RDP. After you connect to the instance, you can change the port number. For more information, see Change the default port used by an instance to accept connections.

Website service

HTTP

80/80

This TCP port can be used when an ECS instance serves as a website server or web application server.

HTTPS

443/443

This TCP port can be used when an ECS instance serves as a website server or web application server that supports HTTPS.

Database

MS SQL

1433/1433

This TCP port can be used when an ECS instance serves as an MS SQL server.

Oracle

1521/1521

This TCP port can be used when an ECS instance serves as an Oracle SQL server.

MySQL

3306/3306

This TCP port can be used when an ECS instance serves as a MySQL server.

PostgreSQL

5432/5432

This TCP port can be used when an ECS instance serves as a PostgreSQL server.

Redis

6379/6379

This TCP port can be used when an ECS instance serves as a Redis server.

What is the relationship between the IP addresses and CIDR blocks that are specified as authorization objects in security group rules?

IP addresses are individual IP addresses. Example: 192.168.0.100 or 2408:4321:180:1701:94c7:bc38:3bfa:. CIDR blocks are IP address ranges. Example: 192.168.0.0/24 or 2408:4321:180:1701:94c7:bc38:3bfa:***/128.

CIDR is an addressing scheme for the Internet that allows for IP addresses to be assigned in a more efficient manner than the traditional scheme based on classes A, B, and C. CIDR notation is used to denote IP addresses and IP ranges. It consists of an IP address and a forward slash followed by a decimal number that denotes how many bits are in the network prefix.

  • Example 1: Convert a CIDR block into an IP address range

    For example, you can convert the 10.0.0.0/8 CIDR block into a 32-bit binary IP address of 00001010.00000000.00000000.00000000. In this CIDR block, /8 represents an 8-bit network ID. The first 8 bits of the 32-bit binary IP address are fixed, and the corresponding IP addresses are from 00001010.00000000.00000000.00000000 to 00001010.11111111.11111111.11111111. After you convert the preceding IP addresses into IP addresses in the decimal format, the 10.0.0.0/8 CIDR block indicates the IP addresses from 10.0.0.0 to 10.255.255.255 with a subnet mask of 255.0.0.0.

  • Example 2: Convert an IP address range into a CIDR block

    For example, you have a range of IP addresses from 192.168.0.0 to 192.168.31.255. You can convert the last two parts of the first and last IP addresses to binary numbers from 00000000.00000000 to 00011111.11111111. The first 19 (8 × 2 + 3) bits are fixed. After you convert the IP addresses to IP addresses in the CIDR format, the corresponding CIDR block is 192.168.0.0/19.

Why am I unable to access TCP port 25?

TCP port 25 is the default email service port. For security reasons, TCP port 25 is disabled for ECS instances. We recommend that you use port 465 to send emails. For more information, see Security groups for different use cases.

Why am I unable to access TCP port 80?

For information about how to troubleshoot issues related to port 80, see What do I do if I cannot access a service deployed on an instance?.

Why are several internal security group rules automatically added to my security group?

Security group rules may be automatically added to your security group in one of the following scenarios:

  • You accessed Data Management (DMS).

  • You migrated data by using Alibaba Cloud Data Transmission Service (DTS). The security group rules that are associated with the IP addresses of DTS servers are automatically added to your security group.

What happens if a security group rule is incorrectly configured?

If a security group rule is incorrectly configured, the ECS instances associated with the rule cannot communicate with other devices over the internal network or the Internet. Examples:

  • Linux ECS instances cannot be connected to by using SSH. Windows ECS instances cannot be connected to by using RDP.

  • The public IP addresses of ECS instances cannot be remotely pinged.

  • The web services provided by the ECS instances cannot be accessed over HTTP or HTTPS.

  • ECS instances associated with the security group rule cannot communicate with other ECS instances over the internal network.

Are the inbound and outbound rules in a security group separately counted?

No, the inbound and outbound rules in a security group are counted together. The total number of inbound and outbound rules in each security group cannot exceed 200. For more information, see Limits.

Can I adjust the maximum number of security group rules that can be created in a security group?

No, you cannot adjust the maximum number of security group rules that can be created in a security group. Up to 200 security group rules can be created in each security group. Each ENI of an ECS instance can be added to up to five security groups. This allows each ENI of an ECS instance to be associated with up to 1,000 security group rules. This limit is suitable for most usage scenarios.

If you reach the maximum number of security group rules that can be created in a security group and want additional rules, perform the following steps:

  1. Check whether redundant rules exist. You can submit a ticket to ask Alibaba Cloud technical support personnel to perform the check.

  2. If redundant security group rules exist, delete them and then create additional rules. If no redundant security group rules exist, create security groups and then create additional rules.

If you activated Cloud Firewall, configure access control policies on VPC firewalls to control traffic between VPCs. This way, fewer ECS security group rules are required. For information about how to configure access control policies on VPC firewalls, see Create an access control policy for a VPC firewall.

How are the security group rules that I created prioritized?

The priority of security group rules ranges from 1 to 100. A smaller value indicates a higher priority.

For security group rules of the same type, the rule that has the highest priority is applied. If an ECS instance belongs to multiple security groups, the security group rules of the security groups are applied to the instance in descending order of priority. Security group rules are applied based on the following principles:

  • If two security group rules differ only in the action, the Deny rule is applied.

  • If two security group rules differ only in the priority, the rule that has the higher priority is applied.

How do I forbid RAM users to configure security group rules?

To forbid a RAM user to configure security group rules, attach the following policy to the RAM user. The policy restricts the use of the API operations that can be called to configure security group rules.

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "ecs:AuthorizeSecurityGroup",
        "ecs:AuthorizeSecurityGroupEgress",
        "ecs:RevokeSecurityGroup",
        "ecs:RevokeSecurityGroupEgress",
        "ecs:ModifySecurityGroupRule",
        "ecs:ModifySecurityGroupEgressRule",
        "ecs:ModifySecurityGroupPolicy",
        "ecs:ModifySecurityGroupAttribute",
        "ecs:ConfigureSecurityGroupPermissions"
      ],
      "Resource": "*"
    }
  ]
}

What do I do if I receive a notification that my website is blocked due to illegal activities and must be rectified?

You can check the records of harmful Internet information to view the domain names or URLs that contain harmful information, penalty actions, reasons for the penalty, and duration of the penalty. When you confirm that the harmful information is cleared from or does not exist in your domain name or URL, you can apply to unblock the domain name or URL. For more information, see View harmful Internet information.

What do I do if I receive a notification that my website is penalized for malicious behaviors?

You can check the penalty records to view the details of the penalty actions, reasons for the penalty, and duration of the penalty. If you do not agree with the penalty, file an appeal. After Alibaba Cloud receives your appeal on the penalty, Alibaba Cloud checks whether the penalty is correct and valid and then upholds or rescinds the penalty based on the check result. For more information, see View the penalty list.

How can I view the resource quota?

For more information about how to view the limits and quotas of resources, see Limits.