All Products
Search

This Product

    Elastic Compute Service:Use prefix lists and port lists to efficiently manage security group rules

    Document Center

    Elastic Compute Service:Use prefix lists and port lists to efficiently manage security group rules

    Last Updated:Apr 15, 2025

    A prefix list is a collection of network prefixes (CIDR address blocks), and a port list is a collection of ports. You can reference prefix lists and port lists when you configure security group rules. Modifying entries in a prefix list or port list is equivalent to directly modifying security group rules. This eliminates the need to maintain multiple security group rules that differ only in authorization objects and port ranges. This topic describes how to use prefix lists and port lists to efficiently manage security group rules.

    Scenarios

    To ensure the security of your cloud resources, you have divided your purchased cloud resources into multiple security domains, with each security domain corresponding to a security group. Resources in multiple security domains need to be accessed by another common resource (such as an on-premises office network). This common resource has numerous IP address ranges that frequently change.

    When the network addresses of the common resource change, you need to adjust rules for multiple security groups. The more security groups and network addresses you have, the greater the management workload.

    In this case, you can add the IP address ranges and IP addresses of the common resource to a prefix list, add the specific service ports of cloud resources that are open to the common resource to a port list, and reference the prefix list and port list when you configure security group rules. When network addresses or ports change, you only need to modify entries in the prefix list or port list, which is equivalent to modifying access control rules for associated security groups. You no longer need to focus on rules in each security group, which reduces management complexity and improves efficiency.

    For example, if you have 50 security groups and need to allow access from an IP address, you must perform the add operation 50 times. If you use a prefix list, you only need to add the IP address to the prefix list once.

    When your cloud resources are distributed across multiple Alibaba Cloud regions, you can use the clone feature of prefix lists or port lists to clone an existing prefix list or port list to other regions.

    Procedure

    This procedure uses the example of modifying the allowance of two CIDR address blocks and two ports to demonstrate the entire process of using prefix lists and port lists to specify IP addresses that are allowed to access services deployed on ECS instances, and modifying access authorizations after the initial setup.

    1. Create a prefix list.

      1. Go to the ECS console - Prefix Lists.

      2. In the top navigation bar, select the region and resource group of the resource that you want to manage. 地域

      3. In the Prefix Lists tab, click Create Prefix List.

      4. In the Create Prefix List dialog box, set the parameters for the prefix list and click OK.

        This example includes two IPv4 entries. The parameters are set as follows:

        • Prefix List Name: RemoteAccess-IP

        • Description: Allow IP addresses in this prefix list to access ECS instances managed by security groups

        • Address Family: IPv4

        • Max Entries: 2

          Note

          The rule quotas of resources, such as security groups, that are associated with a prefix list are calculated based on the maximum number of entries in the prefix list, instead of the actual number of entries. Set a proper value for the Max Entries parameter.

        • Prefix List Entries: Click Add Entry to add 192.168.1.0/24 and 192.168.2.0/24.

          Because CIDR address blocks are used, the preceding entries correspond to multiple IP addresses:

          • 192.168.1.0/24: 192.168.1.0 to 192.168.1.255.

          • 192.168.2.0/24: 192.168.2.0 to 192.168.2.255.

    2. Create a port list.

      1. In the Port Lists tab, click Create Port List.

      2. In the Create Port List dialog box, set the parameters for the port list and click OK.

        This example includes two port entries. The parameters are set as follows:

        • Port List Name: RemoteAccess-Port

        • Description: Open ports in this port list for ECS instances managed by security groups to allow access to services deployed on the ECS instances

        • Max Entries: 2

          Note

          The rule quotas of resources, such as security groups, that are associated with a port list are calculated based on the maximum number of entries in the port list, instead of the actual number of entries. Set a proper value for the Max Entries parameter.

        • Port List Entries: Click Add Entry to add 20000/20000 and 20008/20008 (assuming that services deployed on the ECS instances use ports 20000 and 20008).

    3. Use the prefix list and port list in security group rules.

      Repeat the following steps to add security group rules for multiple security groups, using the RemoteAccess-IP prefix list as the access source and the RemoteAccess-Port port list as the access destination.

      1. Go to ECS console - Security Groups.

      2. Find the target security group and click Operation Configure Rules in the column.

      3. On the Inbound tab, click Add Rule.

        Note

        This example demonstrates operations for a virtual private cloud (VPC) security group. For a classic network security group, select the appropriate tab based on whether the IP address is a public IP address.

      4. Set the parameters for the security group rule and click Save.

        This example allows access to services deployed on instances in the security group. The parameters are set as follows:

        • Authorization Policy: Allow

        • Priority: 1

        • Protocol Type: Custom TCP

        • Access Source: Select the RemoteAccess-IP prefix list

        • Access Destination: Select the RemoteAccess-Port port list

        After you add this security group rule, the security group allows access from IP addresses in the prefix list through ports in the port list.

    4. Modify entries in the prefix list and port list.

      If you need to change IP address authorizations and the service ports on your ECS instances change after you add security group rules, you do not need to modify security group rules for multiple security groups one by one. You only need to modify entries in the RemoteAccess-IP prefix list and RemoteAccess-Port port list. For example, if the private IP addresses that you authorize change to 192.168.3.0/24 and 192.168.4.0/24, and the service ports change to 30000 and 30008, follow these steps to modify entries in the prefix list and port list.

      1. Go to the ECS console - Prefix Lists.

      2. In the Prefix Lists tab, find the RemoteAccess-IP prefix list and click Operation Details in the column.

      3. Click the Prefix List Entries tab.

      4. Find the prefix list entry and click Operation Modify in the column.

      5. Set the CIDR Address Block parameter and click Save.

        Modify the two existing entries by setting the CIDR Address Block parameter to 192.168.3.0/24 and 192.168.4.0/24.

      6. In the Port Lists tab, find the RemoteAccess-Port port list and click Operation Details in the column.

      7. Click the Port List Entries tab.

      8. Find the port list entry, and click Modify in the Operation column.

      9. Set the Port Range parameter and click Save.

        Modify the two existing entries by setting the Port Range parameter to 30000/30000 and 30008/30008.

    After you modify entries in the prefix list or port list, the security group rules that use the prefix list or port list automatically take effect.