You can add custom security group rules to a security group to control inbound and outbound traffic for Elastic Compute Service (ECS) instances in the security group.

Before you use security group rules, take note of the following items:
  • The rules that are added to security groups of the Virtual Private Cloud (VPC) network type can be classified into inbound and outbound rules that take effect on both public and internal traffic. The rules that are added to security groups of the classic network type can be classified into Internet ingress (or public inbound), Internet egress (or public outbound), internal inbound, and internal outbound rules. Internet ingress and egress rules control public traffic, whereas internal inbound and outbound rules control internal traffic.
  • Security groups are stateful. A session for a security group can persist for up to 910 seconds. If instances in the same security group can be accessed and sessions are established to the instances, the security group allows traffic in both directions during the sessions. For example, during a session, if request traffic is allowed to flow in, the corresponding response traffic is also allowed to flow out.
  • TCP port 25 is the default email service port. For security concerns, TCP port 25 of ECS instances is blocked by default. To send emails, we recommend that you use port 465. For more information, see Basic security groups and advanced security groups.
  • Before you add rules to a security group, take note that the security group contains default access control rules that are invisible to you. The default access control rules and the custom rules that you add take effect together to control traffic for ECS instances in the security group. Basic and advanced security groups have different sets of default access control rules. For basic security groups, the default inbound access control rules allow only internal traffic from ECS instances in a basic security group, and the default outbound access control rules allow all traffic. For advanced security groups, the default access control rules do not allow any traffic. For more information, see Basic security groups and advanced security groups.
  • The internal access control policy of a basic security group affects the default access control rules of the security group. By default, a basic security group supports the internal interconnectivity policy. This policy allows all internal traffic from and to ECS instances in the basic security group. If you do not require instances in a basic security group to access each other, we recommend that you follow the principle of least privilege to configure the internal isolation policy for the security group. For more information, see Modify the internal access control policy of a security group.
  • For an ECS instance that is associated with multiple security groups, all the security group rules of the security groups are automatically sorted and work together with the default access control rules of the security groups to control traffic. The rules are processed in a specific order. Processing continues until a rule is matched. For more information, see Sorting policy of security group rules.
  • By default, you can add a maximum of 200 rules to a single security group. You can change the maximum number of rules that can be added to a single security group and the maximum number of security groups with which a single ECS instance can be associated. For more information, see the "Security group limits" section of the Limits topic. We recommend that you keep the security group rules of each security group concise to facilitate management. You can perform health checks on security groups to identify redundant security group rules. For more information, see Identify redundant security group rules.

Composition of each security group rule

A single custom security group rule consists of the following information:
  • Protocol type: the protocol type. TCP, User Datagram Protocol (UDP), Internet Control Messages Protocol version 4 (ICMPv4), ICMP version 6 (ICMPv6), and Generic Routing Encapsulation (GRE) are supported.
  • Port range: the destination port range. For TCP and UDP protocols, use a slash (/) to separate the start port number and the end port number in order to specify a port range. Examples: 8000/9000 and 22/22. For other protocols, set the value to -1/-1. For more information, see Common ports.
  • Authorization object: the source of traffic for inbound rules or the destination of traffic for outbound rules. You can specify the following elements as authorization objects:
    • IPv4 addresses. Example: 192.168.0.100.
    • IPv4 CIDR blocks. Example: 192.168.0.0/24.
    • IPv6 addresses. Example: 2408:4321:180:1701:94c7:bc38:3bfa:9. The IPv6 addresses that you specify are standardized. For example, 2408:180:0000::1 is converted to 2408:180::1.
    • IPv6 CIDR blocks. Example: 2408:4321:180:1701::/64. The IPv6 CIDR blocks that you specify are standardized. For example, 2408:4321:180:0000::/64 is converted to 2408:4321:180::/64.
    • Security group IDs. Security groups in the current account or other accounts can be specified. If you specify a security group ID as the authorization object in a security group rule, the rule controls internal traffic to or from the internal IP addresses of ECS instances in the security group. For example, if you specify security group A that contains ECS instance B as the authorization object, you are implementing access control on the internal IP address of instance B.
    • Prefix list IDs. A prefix list is a set of one or more network prefixes (CIDR blocks). If you specify a prefix list as the authorization object in a security group rule, the maximum number of entries in the prefix list counts against the rule quota of the security group. For more information, see Overview.
  • Action: the action to allow or deny access. If a request meets the protocol, port range, and authorization object requirements of a security group rule, the action that you specify in the rule is performed to allow or deny the request.
  • Priority: the priority of the rule. The priority ranges from 1 to 100. A smaller value indicates a higher priority. Security group rules are sorted first by priority, and then by action. For more information, see the "Sorting policy of security group rules" section of this topic.
  • Rule direction: Inbound and outbound rules are supported to control inbound and outbound traffic.
  • NIC type: The network interface controller (NIC) type is supported only for security group rules in security groups of the classic network type. You can specify the NIC type to configure public or internal security group rules. Public security group rules take effect on public NICs of ECS instances that reside in the classic network to control public traffic. Internal security group rules take effect on internal NICs of ECS instances that reside in the classic network to control internal traffic. Security group rules that are added to security groups of the VPC type control both public and internal access.
  • Rule ID: When you add a security group rule, the system generates a unique ID for the rule. To modify or delete an existing security group rule, you can use the rule ID to find the rule.

If a request meets the protocol, port range, and authorization object requirements of a security group rule, the action that you specify in the rule is performed to allow or deny the request. When a general inbound rule is processed, the source IP address of the traffic is matched against the authorization object and the destination port number of the traffic is matched against the port range. When a general outbound rule is processed, the destination IP address of the traffic is matched against the authorization object and the destination port number of the traffic is matched against the port range. To implement more fine-grained access control, we recommend that you use security group quintuple rules. For more information, see Security group quintuple rules.

Sorting policy of security group rules

A single ECS instance can be associated with one or more security groups. The security group rules that apply to an ECS instance control traffic for the ECS instance. The following items describe how the system processes the security group rules to control inbound traffic for the instance:
  1. Collect and sort all inbound security group rules.
    1. First, sort the security group rules by priority in descending order. A rule with a smaller priority value has a higher priority.
    2. Second, rank security group rules whose Action is set to Deny before rules whose Action is set to Allow.
  2. The system matches requests with the security group rules that apply to the instance in the order in which the rules are sorted, based on the protocol type, port range, and authorization object. If a request matches a rule, the action specified in the rule is performed to allow or deny the request.

In addition to custom security group rules, security groups contain default security access control rules that take effect but are invisible to you. For more information, see Default access control rules.

Use cases for security groups

Alibaba Cloud provides examples on how to configure security group rules in common scenarios, such as providing web services for websites and connecting to instances. For more information, see Security groups for different use cases.