This topic describes how to add security group rules. You can configure security group rules to allow or deny access to or from the Internet or internal network for Elastic Compute Service (ECS) instances within a security group.

Prerequisites

The public or internal IP addresses for which you want to control access for your instances are obtained. For information about the scenarios of adding security group rules, see Security groups for different use cases.

Background information

Security groups control access to or from the Internet or internal network. For security purposes, most security groups use deny rules (Forbid rules) for inbound traffic. If you use the default security group, the system adds security group rules for some communication ports.

This topic is suitable for the following scenarios:
  • When an application deployed on your instance initiates a request to communicate with a network outside of the security groups to which the instance belongs but the request remains in the waiting state, you must add a security group rule to allow this request.
  • When attacks on running applications are detected from some of the request sources, you can add security group rules to block the malicious requests.
Before you add security group rules, take note of the following items:
  • If no rules are added to a basic security group, all inbound traffic to the security group is denied and all outbound traffic from the security group is allowed.
  • If no rules are added to an advanced security group, all inbound and outbound traffic of the security group is denied. For advanced security groups, you cannot specify security groups as the authorization objects of security group rules.
  • Both IPv4 and IPv6 addresses can be used as the authorization objects of security group rules.
  • The total number of inbound and outbound rules within each security group cannot exceed 200.
  • For a basic security group, if you specify security groups as the authorization objects of security group rules, a maximum of 20 security group rules can be specified in the basic security group.

For more information, see Overview.

Procedure

  1. Go to the Security Groups page.
    1. Log on to the ECS console.
    2. In the left-side navigation pane, choose Network & Security > Security Groups.
    3. In the top navigation bar, select a region.
  2. Find the security group to which you want to add a rule and click Add Rules in the Actions column.
  3. On the Security Group Rules page, choose a rule direction in the Access Rule section based on the network type of the security group.
    Network type Rule direction
    Virtual Private Cloud (VPC)
    • Inbound: The rule controls inbound traffic from both the Internet and internal network.
    • Outbound: The rule controls outbound traffic to both the Internet and internal network.
    Classic network
    • Internet ingress: The rule controls inbound traffic from the Internet.
    • Internet egress: The rule controls outbound traffic to the Internet.
    • Inbound: The rule controls inbound traffic from the internal network.
    • Outbound: The rule controls outbound traffic to the internal network.
  4. On the Security Group Rules page, add a security group rule.
    • Method 1: Quickly add a security group rule

      This method is ideal for configuring commonly used TCP rules. Click Quick Add. In the Quick Add dialog box, set Action and Authorization Object and select one or more ports.

    • Method 2: Manually add a security group rule

      You can specify the Action, Priority, and Protocol Type parameters. Perform the following steps to manually add a security group rule:

    1. Click Add Rule.
    2. Configure the new security group rule by specifying the parameters described in the following table.
      Parameter Description
      Action
      • Allow: allows access requests on a specific port.
      • Forbid: drops packets without returning messages.

      If two security group rules differ only in their actions, the Forbid rule is used but the Allow rule is ignored.

      Priority A smaller value indicates a higher priority. Valid values: 1 to 100.
      Protocol Type The protocol type of the security group rule. Valid values:
      • All
      • Custom TCP
      • Customized UDP
      • All ICMP (IPv4)
      • All ICMP (IPv6)
      • All GRE
      For more information about the Protocol Type and Port Range parameters, see Add a security group rule and Common ports used by applications.
      Port Range You can specify a custom port range when Protocol Type is set to Custom TCP or Customized UDP. Enter one or more port ranges. Separate multiple port ranges with commas (,). Example: 22/23,443/443.
      Authorization Object You can specify an authorization object of the following types:
      • IP addresses

        You can enter individual IP addresses. Example: 192.168.0.100 or 2408:4321:180:1701:94c7:bc38:3bfa:.

      • CIDR blocks

        You can enter a CIDR block. Example: 192.168.0.0/24 or 2408:4321:180:1701:94c7:bc38:3bfa:***/128. For more information about the CIDR format, see the What is CIDR? section of the Network FAQ topic.

      • Security groups
        This authorization type is valid only for the internal network. You can specify a security group within the current account or a different account as the authorization object to allow mutual access between instances in that security group and instances in the current security group over the internal network.
        Note For advanced security group rules, you cannot select a security group for Authorization Object.
        • Grant permissions to a security group within the current account: Enter the ID of the security group to which you want to grant permissions within the current account. If the current security group is of the VPC type, the security group to which you want to grant permissions must reside within the same VPC as the current security group.
        • Grant permissions to a security group within a different account: Enter the ID of the different Alibaba Cloud account and the ID of the security group to which you want to grant permissions in the ID of the Alibaba Cloud account/ID of the security group format. You can choose Account Management > Basic Information to view your account ID.
      • Prefix lists

        A prefix list is a set of network prefixes (CIDR blocks). The prefix list feature is supported only on security groups of the VPC type. After you reference a prefix list in a security group rule, the rule applies to all CIDR blocks in the prefix list. For more information, see Overview and Create a prefix list.

        If a prefix list is referenced in a security group rule, the maximum number of entries in the prefix list counts towards the quota for security group rules in the security group. For example, a prefix list can contain a maximum of 100 entries. If the prefix list is referenced in a security group rule, the prefix list counts as 100 rules for the security group regardless of the number of existing entries in the prefix list.

      Take note of the following items:
      • You can enter up to 10 authorization objects at a time. Separate multiple objects with commas (,).
      • If you enter 0.0.0.0/0 or ::/0 as an authorization object, all IP addresses are allowed or denied based on the Action parameter. Evaluate the network risks before you specify 0.0.0.0/0 or ::/0.
      • For security reasons, we recommend that you select a security group for Authorization Object when you add a public inbound rule to a security group of the classic network type. If you want to grant permissions to IP addresses, you must enter individual IP addresses instead of CIDR blocks.
      Description The description of the security group rule.
    3. Click Save in the Actions column.

Result

After the security group rule is added, you can view it in the security group rule list. Changes to security group rules are automatically applied to the ECS instances within the security group. We recommend that you immediately check whether the changes take effect.

FAQ