Use a prefix list to manage IP addresses in security group rules - Elastic Compute Service

A prefix list is a collection of CIDR blocks, and a port list is a collection of ports. You can reference prefix lists and port lists when you configure security group rules. This practice allows you to consolidate multiple rules that differ only by source IP addresses or destination ports. When you update the entries in a prefix list or port list, the changes are automatically applied to all associated security groups, simplifying management and reducing operational overhead.

Use cases

Consider a scenario where you manage multiple applications, each secured by its own security group. These applications need to be accessible from a common source, such as an on-premises office network, which has a large and frequently changing set of IP addresses.

Each time the source IP addresses change, you must manually update the inbound rules for every security group. As the number of security groups and IP addresses grows, this process becomes complex and time-consuming.

To solve this, you can group the source IP addresses into a prefix list and the service ports into a port list. Then, reference these lists in your security group rules. When IP addresses or ports change, you only need to update the respective lists. The changes automatically propagate to all referencing security groups, significantly simplifying rule management and improving efficiency.

For example, instead of manually adding a new IP address to 50 separate security groups, you can add it once to a prefix list referenced by all 50 security groups.

If your cloud resources are distributed across multiple Alibaba Cloud regions, you can use the clone feature to replicate an existing prefix list or port list to other regions.

Procedure

This procedure demonstrates how to use a prefix list and a port list to specify which IP addresses are allowed to access services deployed on an ECS instance, and how to modify the access authorization. In this example, two CIDR blocks and two ports are used.

Create a prefix list
1. Go to the prefix list page of the ECS console.
2. In the top navigation bar, select the region and resource group of the resource that you want to manage.
3. On the Prefix lists tab, click Create prefix list.
4. In the Create prefix list dialog box, configure the parameters and click OK.
  This example uses the following parameters:
  - Prefix list name: RemoteAccess-IP
  - Description: Allows access from IP addresses in this prefix list to ECS instances in associated security groups.
  - Address family: IPv4
  - Max entries: 2
    Note
    When a prefix list is referenced by a resource such as a security group, its max entries value is used to calculate the rule quota, not the actual number of entries. Set this parameter carefully.
  - Entries: Click Add Entry, and then add 192.168.1.0/24 and 192.168.2.0/24.
Create a port list
1. On the Port lists tab, click Create port list.
2. In the Create port list dialog box, configure the parameters and click OK.
  This example uses the following parameters:
  - Port list name: RemoteAccess-Port
  - Description: Opens the ports in this port list for services running on ECS instances in associated security groups.
  - Max entries: 2
    Note
    When a port list is referenced by a resource such as a security group, its max entries value is used to calculate the rule quota, not the actual number of entries. Set this parameter carefully.
  - Entries: Click Add Entry, and then add 20000/20000 and 20008/20008. This example assumes that the services on the ECS instances use ports 20000 and 20008.
Use the lists in a security group rule
Repeat the following steps to add a security group rule to multiple security groups. Use the RemoteAccess-IP prefix list as the source and the RemoteAccess-Port port list as the destination.
1. Go to ECS console - Security Groups.
2. Find the target security group and click Configure rules in the Actions column.
3. On the Inbound tab, click Add rule.
4. Configure the security group rule parameters and click Save.
  The following configuration creates a rule that allows access to services on instances within the security group:
  - Authorization policy: Allow
  - Priority: 1
  - Protocol type: Custom TCP
  - Source: Select the prefix list RemoteAccess-IP.
  - Destination: Select the port list RemoteAccess-Port.
  After you add the rule, the security group allows traffic from the IP addresses in the prefix list to the ports in the port list.
Modify list entries
If your access requirements change, you do not need to modify rules in each security group. Instead, you can update the RemoteAccess-IP prefix list and the RemoteAccess-Port port list. For example, to change the allowed source IPs to 192.168.3.0/24 and 192.168.4.0/24, and the service ports to 30000 and 30008, follow these steps:
1. Go to the prefix list page of the ECS console.
2. On the Prefix lists tab, find the prefix list RemoteAccess-IP and click Details in the Actions column.
3. Click the Prefix list entries tab.
4. Find an entry to update and click Modify in the Actions column.
5. Change the CIDR block and click Save.
  Update the two existing entries to 192.168.3.0/24 and 192.168.4.0/24.
6. On the Port lists tab, find the port list RemoteAccess-Port and click Details in the Actions column.
7. Click the Port list entries tab.
8. Find an entry to update and click Modify in the Actions column.
9. Change the port range and click Save.
  Update the two existing entries to 30000/30000 and 30008/30008.

After you modify a prefix list or port list, the changes automatically apply to all security group rules that reference them.