This topic describes how to add security group rules. You can configure security group
rules to allow or deny access to or from the Internet or internal network for Elastic
Compute Service (ECS) instances within a security group.
Prerequisites
The public or internal IP addresses for which you want to control access for your
instances are obtained. For information about the scenarios of adding security group
rules, see Security groups for different use cases.
Background information
Security groups control access to or from the Internet or internal network. For security
purposes, most security groups use deny rules (Forbid rules) for inbound traffic.
If you use the default security group, the system adds security group rules for some
communication ports.
This topic is suitable for the following scenarios:
- When an application deployed on your instance initiates a request to communicate with
a network outside of the security groups to which the instance belongs but the request
remains in the waiting state, you must add a security group rule to allow this request.
- When attacks on running applications are detected from some of the request sources,
you can add security group rules to block the malicious requests.
Before you add security group rules, take note of the following items:
- If no rules are added to a basic security group, all inbound traffic to the security
group is denied and all outbound traffic from the security group is allowed.
- If no rules are added to an advanced security group, all inbound and outbound traffic
of the security group is denied. For advanced security groups, you cannot specify
security groups as the authorization objects of security group rules.
- Both IPv4 and IPv6 addresses can be used as the authorization objects of security
group rules.
- The total number of inbound and outbound rules within each security group cannot exceed
200.
- For a basic security group, if you specify security groups as the authorization objects
of security group rules, a maximum of 20 security group rules can be specified in
the basic security group.
For more information, see Overview.
Procedure
- Go to the Security Groups page.
- Log on to the ECS console.
- In the left-side navigation pane, choose .
- In the top navigation bar, select a region.
- Find the security group to which you want to add a rule and click Add Rules in the Actions column.
- On the Security Group Rules page, choose a rule direction in the Access Rule section based on the network type of the security group.
Network type |
Rule direction |
Virtual Private Cloud (VPC) |
- Inbound: The rule controls inbound traffic from both the Internet and internal network.
- Outbound: The rule controls outbound traffic to both the Internet and internal network.
|
Classic network |
- Internet ingress: The rule controls inbound traffic from the Internet.
- Internet egress: The rule controls outbound traffic to the Internet.
- Inbound: The rule controls inbound traffic from the internal network.
- Outbound: The rule controls outbound traffic to the internal network.
|
- On the Security Group Rules page, add a security group rule.
- Method 1: Quickly add a security group rule
This method is ideal for configuring commonly used TCP rules. Click Quick Add. In the Quick Add dialog box, set Action and Authorization Object and select one or more ports.
- Method 2: Manually add a security group rule
You can specify the Action, Priority, and Protocol Type parameters. Perform the following
steps to manually add a security group rule:
- Click Add Rule.
- Configure the new security group rule by specifying the parameters described in the
following table.
Parameter |
Description |
Action |
- Allow: allows access requests on a specific port.
- Forbid: drops packets without returning messages.
If two security group rules differ only in their actions, the Forbid rule is used but the Allow rule is ignored.
|
Priority |
A smaller value indicates a higher priority. Valid values: 1 to 100. |
Protocol Type |
The protocol type of the security group rule. Valid values:
- All
- Custom TCP
- Customized UDP
- All ICMP (IPv4)
- All ICMP (IPv6)
- All GRE
For more information about the Protocol Type and Port Range parameters, see Add a security group rule and Common ports used by applications.
|
Port Range |
You can specify a custom port range when Protocol Type is set to Custom TCP or Customized UDP. Enter one or more port ranges. Separate multiple port ranges with commas (,). Example:
22/23,443/443 .
|
Authorization Object |
You can specify an authorization object of the following types:
- IP addresses
You can enter individual IP addresses. Example: 192.168.0.100 or 2408:4321:180:1701:94c7:bc38:3bfa:.
- CIDR blocks
You can enter a CIDR block. Example: 192.168.0.0/24 or 2408:4321:180:1701:94c7:bc38:3bfa:***/128.
For more information about the CIDR format, see the What is CIDR? section of the Network FAQ topic.
- Security groups
This authorization type is valid only for the internal network. You can specify a
security group within the current account or a different account as the authorization
object to allow mutual access between instances in that security group and instances
in the current security group over the internal network.
Note For advanced security group rules, you cannot select a security group for Authorization
Object.
- Grant permissions to a security group within the current account: Enter the ID of
the security group to which you want to grant permissions within the current account.
If the current security group is of the VPC type, the security group to which you
want to grant permissions must reside within the same VPC as the current security
group.
- Grant permissions to a security group within a different account: Enter the ID of
the different Alibaba Cloud account and the ID of the security group to which you
want to grant permissions in the
ID of the Alibaba Cloud account/ID of the security group format. You can choose to view your account ID.
- Prefix lists
A prefix list is a set of network prefixes (CIDR blocks). The prefix list feature
is supported only on security groups of the VPC type. After you reference a prefix
list in a security group rule, the rule applies to all CIDR blocks in the prefix list.
For more information, see Overview and Create a prefix list.
If a prefix list is referenced in a security group rule, the maximum number of entries
in the prefix list counts towards the quota for security group rules in the security
group. For example, a prefix list can contain a maximum of 100 entries. If the prefix
list is referenced in a security group rule, the prefix list counts as 100 rules for
the security group regardless of the number of existing entries in the prefix list.
Take note of the following items:
- You can enter up to 10 authorization objects at a time. Separate multiple objects
with commas (,).
- If you enter 0.0.0.0/0 or ::/0 as an authorization object, all IP addresses are allowed
or denied based on the Action parameter. Evaluate the network risks before you specify
0.0.0.0/0 or ::/0.
- For security reasons, we recommend that you select a security group for Authorization
Object when you add a public inbound rule to a security group of the classic network
type. If you want to grant permissions to IP addresses, you must enter individual
IP addresses instead of CIDR blocks.
|
Description |
The description of the security group rule. |
- Click Save in the Actions column.
Result
After the security group rule is added, you can view it in the security group rule
list. Changes to security group rules are automatically applied to the ECS instances
within the security group. We recommend that you immediately check whether the changes
take effect.