This topic describes how to add security group rules. You can configure security group rules to allow or deny access to or from the Internet or internal network for Elastic Compute Service (ECS) instances within a security group.

Prerequisites

The public or internal IP addresses for which you want to control access for your instances are obtained. For information about the scenarios of adding security group rules, see Security groups for different use cases .

Background information

Security groups control access to or from the Internet or internal network. For security purposes, most security groups use deny rules (Forbid rules) for inbound traffic. If you use the default security group, the system adds security group rules for some communication ports.

This topic is suitable for the following scenarios:
  • When an application deployed on your instance initiates a request to communicate with a network outside of the security groups to which the instance belongs but the request remains in the waiting state, you must add a security group rule to allow this request.
  • When attacks on running applications are detected from some of the request sources, you can add security group rules to block the malicious requests.
Before you add security group rules, take note of the following items:
  • If no rules are added to a basic security group, all inbound traffic to the security group is denied and all outbound traffic from the security group is allowed.
  • If no rules are added to an advanced security group, all inbound and outbound traffic of the security group is denied. For advanced security groups, you cannot specify security groups as the authorization objects of security group rules.
  • Both IPv4 and IPv6 addresses can be used as the authorization objects of security group rules.
  • The total number of inbound and outbound rules within each security group cannot exceed 200.
  • For a basic security group, if you specify security groups as the authorization objects of security group rules, a maximum of 20 security group rules can be specified in the basic security group.

For more information, see Overview.

Procedure

  1. Go to the Security Groups page.
    1. Log on to the ECS console.
    2. In the left-side navigation pane, choose Network & Security > Security Groups.
    3. In the top navigation bar, select a region.
  2. Find the security group to which you want to add a rule and click Add Rules in the Actions column.
  3. On the Security Group Rules page, choose a rule direction in the Access Rule section based on the network type of the security group.
    Network typeRule direction
    Virtual Private Cloud (VPC)
    • Inbound: The rule controls inbound traffic from both the Internet and internal network.
    • Outbound: The rule controls outbound traffic to both the Internet and internal network.
    Classic network
    • Internet ingress: The rule controls inbound traffic from the Internet.
    • Internet egress: The rule controls outbound traffic to the Internet.
    • Inbound: The rule controls inbound traffic from the internal network.
    • Outbound: The rule controls outbound traffic to the internal network.
  4. On the Security Group Rules page, add a security group rule.
    • Method 1: Quickly add a security group rule

      This method is ideal for configuring commonly used TCP rules. Click Quick Add. In the Quick Add dialog box, set Action and Authorization Object and select one or more ports.

    • Method 2: Manually add a security group rule

      You can specify the Action, Priority, and Protocol Type parameters. Perform the following steps to manually add a security group rule:

    1. Click Add Rule.
    2. Configure the new security group rule by specifying the parameters described in the following table.
      ParameterDescription
      Action
      • Allow: allows access requests on a specific port.
      • Forbid :denies access requests and drops data packets without returning a response.

      If two security group rules differ only in their actions, the Forbid rule is used but the Allow rule is ignored.

      PriorityA smaller value indicates a higher priority. Valid values: 1 to 100.
      Protocol TypeThe protocol type of the security group rule. Valid values:
      • All
      • Custom TCP
      • Customized UDP
      • All ICMP (IPv4)
      • All ICMP (IPv6)
      • All GRE
      Port RangeYou can specify a port range when Protocol Type is set to Custom TCP or Customized UDP. Enter one or more port ranges. Separate the port ranges with commas (,). Example: 22/23,443/443.

      For more information about the Protocol Type and Port Range parameters, see Typical applications of commonly used ports and What is the relationship between protocol types and port ranges in security group rules?.

      Authorization ObjectYou can specify an authorization object of the following types:
      • IP Address

        You can enter individual IP addresses. Example: 192.168.0.100 or 2408:4321:180:1701:94c7:bc38:3bfa:.

      • CIDR blocks

        You can enter a CIDR block. Example: 192.168.0.0/24 or 2408:4321:180:1701:94c7:bc38:3bfa:***/128. For more information about IP addresses and CIDR blocks, see the "What is the relationship between the IP addresses and CIDR blocks specified as authorization objects of a security group rule?" issue in What is the relationship between the IP addresses and CIDR blocks specified as authorization objects in security group rules?.

      • Security groups
        This authorization type is valid only for the internal network. You can specify a security group in the current account or a different account as the authorization object to allow mutual access between instances or elastic network interfaces (ENIs) in that security group and instances in the current security group over the internal network.
        Note
        • For advanced security groups, security groups are not supported as authorization objects.
        • For each basic security group, a maximum of 20 security groups are supported as authorization objects.
        • Authorize the current account: Enter the ID of the security group that you want to specify as the authorization object within the current account. If the current security group is of the VPC type, the security group that you want to specify as the authorization object must reside within the same VPC as the current security group.
        • Authorize another account: Enter the ID of the different Alibaba Cloud account and the ID of the security group to which you want to grant permissions in the ID of the Alibaba Cloud account/ID of the security group format. You can choose Account Management > Basic Information to view your account ID.
      • Prefix lists

        A prefix list is a set of network prefixes (CIDR blocks). The prefix list feature is supported only on security groups of the VPC type. After you reference a prefix list in a security group rule, the rule applies to all CIDR blocks in the prefix list. For more information, see Overview and Create a prefix list.

        If a prefix list is referenced in a security group rule, the maximum number of entries in the prefix list counts against the rule quota for the security group. For example, assume that a prefix list can contain a maximum of 100 entries. If the prefix list is referenced in a security group rule, the prefix list counts as 100 rules for the security group regardless of the number of existing entries in the prefix list.

      Take note of the following items:
      • You can enter up to 10 authorization objects at a time. Separate the objects with commas (,). Each authorization object corresponds to a rule. For example, if you add 10 authorization objects at a time, 10 rules are generated.
      • If you enter 0.0.0.0/0 or ::/0 as an authorization object, all IP addresses are allowed. Evaluate the network risks before you specify 0.0.0.0/0 or ::/0.
      • For security reasons, we recommend that you select a security group for Authorization Object when you add a public inbound rule to a security group of the classic network type. If you want to specify IP addresses as authorization objects in security group rules, enter individual IP addresses instead of CIDR blocks.
      DescriptionThe description of the security group rule.
      ParameterDescription
      Action
      • Allow: allows access requests on a specific port.
      • Forbid :denies access requests and drops data packets without returning a response.

      If two security group rules differ only in their actions, the Forbid rule is used but the Allow rule is ignored.

      PriorityA smaller value indicates a higher priority. Valid values: 1 to 100.
      Protocol TypeThe protocol type of the security group rule. Valid values:
      • All
      • Custom TCP
      • Customized UDP
      • All ICMP (IPv4)
      • All ICMP (IPv6)
      • All GRE
      Port RangeYou can specify a port range when Protocol Type is set to Custom TCP or Customized UDP. Enter one or more port ranges. Separate the port ranges with commas (,). Example: 22/23,443/443.

      For more information about the Protocol Type and Port Range parameters, see Typical applications of commonly used ports and What is the relationship between protocol types and port ranges in security group rules?.

      Authorization ObjectYou can specify an authorization object of the following types:
      • IP Address

        You can enter individual IP addresses. Example: 192.168.0.100 or 2408:4321:180:1701:94c7:bc38:3bfa:.

      • CIDR blocks

        You can enter a CIDR block. Example: 192.168.0.0/24 or 2408:4321:180:1701:94c7:bc38:3bfa:***/128. For more information about IP addresses and CIDR blocks, see the "What is the relationship between the IP addresses and CIDR blocks specified as authorization objects of a security group rule?" issue in What is the relationship between the IP addresses and CIDR blocks specified as authorization objects in security group rules?.

      • Security groups
        This authorization type is valid only for the internal network. You can specify a security group in the current account or a different account as the authorization object to allow mutual access between instances or elastic network interfaces (ENIs) in that security group and instances in the current security group over the internal network.
        Note
        • For advanced security groups, security groups are not supported as authorization objects.
        • For each basic security group, a maximum of 20 security groups are supported as authorization objects.
        • Authorize the current account: Enter the ID of the security group that you want to specify as the authorization object within the current account. If the current security group is of the VPC type, the security group that you want to specify as the authorization object must reside within the same VPC as the current security group.
        • Authorize another account: Enter the ID of the different Alibaba Cloud account and the ID of the security group to which you want to grant permissions in the ID of the Alibaba Cloud account/ID of the security group format. You can choose Account Management > Basic Information to view your account ID.
      • Prefix lists

        A prefix list is a set of network prefixes (CIDR blocks). The prefix list feature is supported only on security groups of the VPC type. After you reference a prefix list in a security group rule, the rule applies to all CIDR blocks in the prefix list. For more information, see Overview and Create a prefix list.

        If a prefix list is referenced in a security group rule, the maximum number of entries in the prefix list counts against the rule quota for the security group. For example, assume that a prefix list can contain a maximum of 100 entries. If the prefix list is referenced in a security group rule, the prefix list counts as 100 rules for the security group regardless of the number of existing entries in the prefix list.

      Take note of the following items:
      • You can enter up to 10 authorization objects at a time. Separate the objects with commas (,). Each authorization object corresponds to a rule. For example, if you add 10 authorization objects at a time, 10 rules are generated.
      • If you enter 0.0.0.0/0 or ::/0 as an authorization object, all IP addresses are allowed. Evaluate the network risks before you specify 0.0.0.0/0 or ::/0.
      • For security reasons, we recommend that you select a security group for Authorization Object when you add a public inbound rule to a security group of the classic network type. If you want to specify IP addresses as authorization objects in security group rules, enter individual IP addresses instead of CIDR blocks.
      DescriptionThe description of the security group rule.
    3. Click Save in the Actions column.

Result

After the security group rule is added, you can view it in the security group rule list. Changes to security group rules are automatically applied to the ECS instances within the security group. We recommend that you immediately check whether the changes take effect.

FAQ