After you add security group rules in the Elastic Compute Service (ECS) console, you can view the details of the rules and perform health checks on security groups to identify redundant rules.

View the rules of a single security group

  1. Log on to the ECS console.
  2. In the left-side navigation pane, choose Network & Security > Security Groups.
  3. In the top navigation bar, select a region.
  4. Find the security group whose rules you want to view and click Add Rules in the Actions column.
  5. Click a tab based on the type of rule that you want to view.
    • If the security group is of the Virtual Private Cloud (VPC) type, you can click the Inbound or Outbound tab.
    • If the security group is of the classic network type, you can click the Inbound, Outbound, Internet Ingress, or Internet Egress tab.
    Note In the search box above the rule list, enter ports or authorization objects to search for security group rules.

View the rules of multiple security groups

If you add an ECS instance to multiple security groups, perform the following steps to view all inbound or outbound security group rules that are associated with the instance:

  1. Log on to the ECS console.
  2. In the left-side navigation pane, choose Instances & Images > Instances.
  3. In the top navigation bar, select a region.
  4. On the Instances page, view all inbound or outbound security group rules.
    1. Find the instance for which you want to view security group rules and click the instance ID. The instance details page appears.
    2. Click the Security Groups tab and then click the Internal Inbound Rules or Internal Outbound Rules tab to view the details of the rules.

Identify redundant security group rules

You can perform a health check on a security group to identify redundant rules in the security group. If rule A has a lower priority than rule B and rule B contains all conditions of rule A, rule A is considered redundant. If a redundant rule exists, we recommend that you delete the rule to prevent the number of rules from reaching the upper limit.
Note Each security group can contain a limited number of rules, and each elastic network interface (ENI) on an ECS instance can be associated with a limited number of security group rules. For more information about the limits and quotas of security group rules, see the "Security group limits" section in Limits.
  1. Log on to the ECS console.
  2. In the left-side navigation pane, choose Network & Security > Security Groups.
  3. In the top navigation bar, select a region.
  4. Find the security group whose rules you want to view and click Add Rules in the Actions column.
  5. In the Access Rule section, click Health check.
  6. In the Health Check dialog box, check whether redundant rules exist.
    The following figure shows that the security group contains two redundant rules. Redundant rules
  7. Select the redundant rules and click OK to delete the rules.

References

For information about how to query redundant security group rules by calling an API operation, see DescribeSecurityGroupAttribute.