Define inbound and outbound access control rules for ECS instances in a security group.
Before you use security group rules, note the following:
-
In a VPC, security group rules are categorized as inbound and outbound, controlling both public and internal network traffic.
-
Security groups are stateful. A session can last up to 910 seconds. After a connection is established, the security group permits all traffic within that session. For example, if an inbound packet is allowed, the corresponding outbound packet is also allowed.
-
To avoid disrupting established sessions when changing a basic security group association, first add the ECS instance or elastic network interface to the new security group, wait about 10 seconds, and then remove it from the old one.
-
TCP port 25 is restricted by default for security reasons. Use port 465 to send emails instead.
-
A security group without custom rules applies implicit default rules. Basic security groups allow inbound internal traffic from instances in the same group and allow all outbound traffic by default. Enterprise security groups deny both inbound and outbound traffic by default. See Basic and enterprise security groups.
-
The internal communication policy of a basic security group controls whether instances in the group can access each other over the internal network. By default, internal communication is allowed. If instances do not need internal access to each other, follow the principle of least privilege and set the policy to isolate them. See Modify the internal communication policy of a basic security group.
-
When an instance belongs to multiple security groups, rules from all groups are aggregated, sorted, and applied together with default rules to allow or deny traffic. See Security group custom rule matching policy.
-
Security group rules have the following limits:
-
An elastic network interface can be associated with up to 10 security groups.
-
The total number of inbound and outbound rules across all security groups for a single elastic network interface cannot exceed 1,000.
See Limits on security groups.
Keep rules concise to stay within limits and reduce complexity. Use the health check feature to detect and remove redundant rules. See Check for redundant rules in a security group.
-
Rule components
A custom security group rule consists of these components:
-
Protocol type: The network protocol to match. Supports two value types:
-
Protocol name: TCP, UDP, ICMPv4, ICMPv6, and GRE.
-
IP protocol number: An integer from 0 to 255 per IANA standards. For example, 6 for TCP, 17 for UDP, 1 for ICMPv4, 58 for ICMPv6, and 47 for GRE.
-
-
Port range: The destination port. Specify a single port range or a port list.
-
Single port range: For TCP and UDP, specify a range separated by a forward slash (/), such as
8000/9000or22/22. For other protocols, set this to -1/-1. See Common ports. -
Port list: A collection of ports. The rule consumes quota entries equal to the maximum capacity of the port list, not the actual port count. Protocol type must be TCP or UDP. See Overview of port lists.
-
-
Authorization object: The traffic source (inbound) or destination (outbound). Specify a CIDR block, IP address, security group, or prefix list.
-
IPv4 address: For example,
192.168.0.100. -
IPv4 CIDR block: For example,
192.168.0.0/24. -
IPv6 address: For example,
2408:4321:180:1701:94c7:bc38:3bfa:9. The system normalizes IPv6 addresses, such as2408:180:0000::1to2408:180::1. -
IPv6 CIDR block: For example,
2408:4321:180:1701::/64. The system normalizes IPv6 CIDR blocks, such as2408:4321:180:0000::/64to2408:4321:180::/64. -
Security group ID: Grant access to a security group in your account or another account. The system matches traffic by the private IP addresses of ECS instances in the target group. For example, granting access to security group A allows traffic from the private IP addresses of instances in group A.
-
Prefix list ID: A collection of CIDR blocks. The rule consumes quota entries equal to the maximum capacity of the prefix list, not the actual CIDR block count. See Overview of prefix lists.
-
-
Authorization policy: The action to apply to matched traffic — Allow or Deny.
-
Priority: A value from 1 to 100. A smaller value indicates a higher priority. Rules are sorted by priority first, then by authorization policy. See Match policy for custom security group rules.
-
Rule direction: Inbound (incoming traffic) or outbound (outgoing traffic).
-
NIC type: In a VPC, rules control both public and internal network access.
-
Rule ID: A system-generated unique ID for each rule. Use this ID to modify or delete the rule.
A rule matches traffic by protocol type, port range, and authorization object, then allows or denies it. For inbound rules, the authorization object matches the source address; for outbound rules, it matches the destination address. The port range matches the destination port. For more precise control, use quintuple rules.
Rule matching policy
An ECS instance can belong to one or more security groups. To determine whether to allow traffic (e.g., inbound), the system applies this matching policy:
-
The system combines inbound rules from all associated security groups and sorts them:
-
By priority (smaller value = higher priority).
-
By authorization policy (Deny takes precedence over Allow).
-
-
The system evaluates traffic against each rule in order. When a match is found, the system allows or denies the traffic per the rule's authorization policy.
Security groups also have implicit default rules. See Basic and enterprise security groups.
Special security group rules
Security groups allow specific network traffic by default in certain scenarios to ensure stable ECS operation and proper cloud feature functionality. You cannot block this traffic with custom rules. These scenarios include:
-
Network connectivity checks under specific conditions:
When underlying components change, Alibaba Cloud may perform Ping probes on ECS instances to verify network connectivity. Security groups allow this probe traffic by default.
-
ICMP (PMTUD error messages):
If an ECS instance sends a packet exceeding the path MTU with the DF (Don't Fragment) flag set, it receives an ICMP error containing the correct MTU. This instructs the instance to reduce its packet size. Security groups allow this traffic by default. See Jumbo frames.
-
SLB traffic:
When an SLB instance (such as ALB, NLB, or CLB) forwards traffic to backend ECS instances, security groups allow this traffic by default. The SLB instance's security groups or ACLs control the inbound and outbound traffic instead.
-
MetaServer access:
MetaServer provides essential metadata services for ECS instances. Security groups allow outbound traffic to MetaServer (100.100.100.200) by default. No additional rules are needed.
Security group quintuple rules
In the console, security group rules consist of these components by default:
-
Inbound rule: source IP address, destination port, and protocol type.
-
Outbound rule: destination IP address, destination port, and protocol type.
For more precise control, use an API to configure quintuple rules. Quintuple rules are fully compatible with existing rules and require five fields: source IP address, source port, destination IP address, destination port, and protocol type.
When specifying the destination IP (inbound) or source IP (outbound) for a specific ECS instance, use its private IP address, not the public IP or EIP. Public IPs and EIPs are NAT IP addresses on Alibaba Cloud gateways. Security groups operate on the elastic network interface and control traffic by private IP.
For example, the following quintuple outbound rule allows TCP traffic from 172.16.1.0/32 on source port 22 to 10.0.0.1/32:
Source IP address: 172.16.1.0/32
Source port: 22
Destination IP address: 10.0.0.1/32
Destination port: Unrestricted
Protocol type: TCP
Rule configuration examples
Configure security group rules for common scenarios such as hosting a web service or remotely connecting to an instance:
-
Case 2: Allow specific users to remotely access an ECS instance
-
Case 3: Security policies for a database service deployed on an ECS instance
-
Case 4: Allow access only for services that use a specific protocol
-
Case 6: Restrict an ECS instance from accessing external websites
-
Case 5: Enable internal network communication between instances in different security groups