This topic describes how to add security group rules. You can configure security group rules to allow or deny access to or from the Internet or internal network for Elastic Compute Service (ECS) instances within a security group.
Prerequisites
The public or internal IP addresses for which you want to control access for your instances are obtained. For information about the scenarios of adding security group rules, see Security groups for different use cases .
Background information
Security groups control access to or from the Internet or internal network. For security purposes, most security groups use deny rules (Forbid rules) for inbound traffic. If you use the default security group, the system adds security group rules for some communication ports.
- When an application deployed on your instance initiates a request to communicate with a network outside of the security groups to which the instance belongs but the request remains in the waiting state, you must add a security group rule to allow this request.
- When attacks on running applications are detected from some of the request sources, you can add security group rules to block the malicious requests.
- If no rules are added to a basic security group, all inbound traffic to the security group is denied and all outbound traffic from the security group is allowed.
- If no rules are added to an advanced security group, all inbound and outbound traffic of the security group is denied. For advanced security groups, you cannot specify security groups as the authorization objects of security group rules.
- Both IPv4 and IPv6 addresses can be used as the authorization objects of security group rules.
- The total number of inbound and outbound rules within each security group cannot exceed 200.
- For a basic security group, if you specify security groups as the authorization objects of security group rules, a maximum of 20 security group rules can be specified in the basic security group.
For more information, see Overview.
Procedure
- Go to the Security Groups page.
- Log on to the ECS console.
- In the left-side navigation pane, choose .
- In the top navigation bar, select a region.
- Find the security group to which you want to add a rule and click Add Rules in the Actions column.
- On the Security Group Rules page, choose a rule direction in the Access Rule section based on the network type of the security group.
Network type Rule direction Virtual Private Cloud (VPC) - Inbound: The rule controls inbound traffic from both the Internet and internal network.
- Outbound: The rule controls outbound traffic to both the Internet and internal network.
Classic network - Internet ingress: The rule controls inbound traffic from the Internet.
- Internet egress: The rule controls outbound traffic to the Internet.
- Inbound: The rule controls inbound traffic from the internal network.
- Outbound: The rule controls outbound traffic to the internal network.
- On the Security Group Rules page, add a security group rule.
- Method 1: Quickly add a security group rule
This method is ideal for configuring commonly used TCP rules. Click Quick Add. In the Quick Add dialog box, set Action and Authorization Object and select one or more ports.
- Method 2: Manually add a security group rule
You can specify the Action, Priority, and Protocol Type parameters. Perform the following steps to manually add a security group rule:
- Method 1: Quickly add a security group rule
Result
After the security group rule is added, you can view it in the security group rule list. Changes to security group rules are automatically applied to the ECS instances within the security group. We recommend that you immediately check whether the changes take effect.
FAQ
- For information about the Protocol Type and Port Range parameters, see Typical applications of commonly used ports and What is the relationship between protocol types and port ranges in security group rules?
- For information about why services on instances cannot be accessed after the instances are added to security groups, see Why am I unable to access services after I configure a security group?
- For information about why TCP port 80 and 25 cannot be accessed, see Why am I unable to access TCP port 80? and Why am I unable to access TCP port 25?
- For more information about security group rules, see Security FAQ.