This topic describes how to configure security group rules for Elastic Compute Service (ECS) instances that have the Cloud Assistant client installed and manage network permissions of the Cloud Assistant client with ease.

Background information

To ensure that you can use Cloud Assistant on an ECS instance, the instance must have access to the endpoints or IP addresses required to perform specified operations such as running a Cloud Assistant command. You must configure security group rules to allow outbound access to the endpoints or IP addresses described in the following table.

Endpoint/IP address Description
https://{region-id}.axt.aliyun.com:443/ This endpoint is used to access the Cloud Assistant server.
http://100.100.100.200:80/ This IP address is used to access MetaServer.
https://aliyun-client-assist-{region-id}.oss-{region-id}-internal.aliyuncs.com:443/ This endpoint is used to access the server where the Cloud Assistant client installation package resides to install or update your Cloud Assistant client.
Note {region-id} specifies the region ID of the instance. For example, if the instance resides in the China (Hangzhou) region, set this parameter to cn-hangzhou.
You can use one of the following methods to configure security group rules for an instance on which the Cloud Assistant client is installed:
  • General configurations: In most cases, you can use this method to configure security group rules to allow access from the CIDR blocks and ports of the Cloud Assistant server and the server where the Cloud Assistant client installation package resides.
  • Fine-grained configurations: If you want to manage network permissions in a fine-grained manner, you can use this method to allow access from the specified ports and IP addresses based on the region of the instance on which the Cloud Assistance client is installed.

General configurations

To simplify the configurations and the management of network permissions, you can configure security group rules to allow access form the CIDR blocks and ports of the Cloud Assistant server and the server where the Cloud Assistant client installation package resides.

Note The CIDR block of the Cloud Assistant server is 100.100.0.0/16. The CIDR block of the server where the Cloud Assistant client installation package resides is 100.0.0.0/8.

By default, basic security groups allow all outbound access. ECS instances in a basic security group allow outbound traffic. By default, advanced security groups deny all outbound access. ECS instances in an advanced security group deny outbound traffic. For advanced security groups, you must configure security group rules to allow outbound access to the endpoints, CIDR blocks, or ports described in the following table. For more information, see Add security group rules.

Endpoint/CIDR block/Port Description
DNS/UDP port 53 This port is used to resolve domain names.
https://<100.100.0.0/16>:443/ This CIDR block is used to access the Cloud Assistant server.
https://<100.0.0.0/8>:443/ This CIDR block is used to access the server where the Cloud Assistant client installation package resides to install or update your Cloud Assistant client.
Add a security group rule

Fine-grained configurations

If you want to manage network permissions in a fine-grained manner, you can allow access from the IP addresses of the Cloud Assistant server and the server where the Cloud Assistant client installation package resides in the specified region.

For example, if your instance resides in the China (Hangzhou) region, you must configure rules for advanced security groups to allow outbound access to the endpoints, IP addresses, or ports described in the following table. For more information, see Add security group rules.

Endpoint /IP Address/Port Description
DNS/UDP port 53 This port is used to resolve domain names.
https://100.100.45.106:443/ This IP address is used to access the Cloud Assistant server in the China (Hangzhou) region.
https://100.118.28.50:443/ This IP address is used to access the server where the Cloud Assistant client installation package resides in the China (Hangzhou) region to install or update your Cloud Assistant client.
Add security group rule 1

The following table lists the endpoints and IP addresses that the Cloud Assistant must be able to access in each region.

The first row in the Endpoint column of each region indicates the endpoint and IP address of the Cloud Assistant server, and the second row indicates the endpoint and IP address of the server where the Cloud Assistant client installation package resides.

Region Region ID Endpoint IP Address
China (Qingdao) cn-qingdao cn-qingdao.axt.aliyun.com 100.100.15.4
aliyun-client-assist-cn-qingdao.oss-cn-qingdao-internal.aliyuncs.com 100.115.173.9
China (Beijing) cn-beijing cn-beijing.axt.aliyun.com 100.100.18.120
aliyun-client-assist-cn-beijing.oss-cn-beijing-internal.aliyuncs.com 100.118.58.9
China (Zhangjiakou) cn-zhangjiakou cn-zhangjiakou.axt.aliyun.com 100.100.99.23
aliyun-client-assist-cn-zhangjiakou.oss-cn-zhangjiakou-internal.aliyuncs.com 100.118.90.245
China (Hohhot) cn-huhehaote cn-huhehaote.axt.aliyun.com 100.100.126.8
aliyun-client-assist-cn-huhehaote.oss-cn-huhehaote-internal.aliyuncs.com 100.118.195.21
China (Ulanqab) cn-wulanchabu cn-wulanchabu.axt.aliyun.com 100.100.0.3
aliyun-client-assist-cn-wulanchabu.oss-cn-wulanchabu-internal.aliyuncs.com 100.118.214.0
China (Hangzhou) cn-hangzhou cn-hangzhou.axt.aliyun.com 100.100.45.106
aliyun-client-assist-cn-hangzhou.oss-cn-hangzhou-internal.aliyuncs.com 100.118.28.50
China (Shanghai) cn-shanghai cn-shanghai.axt.aliyun.com 100.100.36.108
aliyun-client-assist-cn-shanghai.oss-cn-shanghai-internal.aliyuncs.com 100.118.102.35
China (Nanjing - Local Region) cn-nanjing cn-nanjing.axt.aliyun.com 100.100.0.1
aliyun-client-assist-cn-nanjing.oss-cn-nanjing-internal.aliyuncs.com 100.114.142.7
China (Shenzhen) cn-shenzhen cn-shenzhen.axt.aliyun.com 100.100.0.70
aliyun-client-assist-cn-shenzhen.oss-cn-shenzhen-internal.aliyuncs.com 100.118.78.4
China (Heyuan) cn-heyuan cn-heyuan.axt.aliyun.com 100.100.0.5
aliyun-client-assist-cn-heyuan.oss-cn-heyuan-internal.aliyuncs.com 100.98.83.0
China (Guangzhou) cn-guangzhou cn-guangzhou.axt.aliyun.com 100.100.0.4
aliyun-client-assist-cn-guangzhou.oss-cn-guangzhou-internal.aliyuncs.com 100.115.33.49
China (Chengdu) cn-chengdu cn-chengdu.axt.aliyun.com 100.100.0.42
aliyun-client-assist-cn-chengdu.oss-cn-chengdu-internal.aliyuncs.com 100.115.155.18
China (Hong Kong) cn-hongkong cn-hongkong.axt.aliyun.com 100.100.35.30
aliyun-client-assist-cn-hongkong.oss-cn-hongkong-internal.aliyuncs.com 100.115.61.10
Singapore (Singapore) ap-southeast-1 ap-southeast-1.axt.aliyun.com 100.100.30.60
aliyun-client-assist-ap-southeast-1.oss-ap-southeast-1-internal.aliyuncs.com 100.118.219.18
Australia (Sydney) ap-southeast-2 ap-southeast-2.axt.aliyun.com 100.100.44.12
aliyun-client-assist-ap-southeast-2.oss-ap-southeast-2-internal.aliyuncs.com 100.100.44.1
Malaysia (Kuala Lumpur) ap-southeast-3 ap-southeast-3.axt.aliyun.com 100.100.127.16
aliyun-client-assist-ap-southeast-3.oss-ap-southeast-3-internal.aliyuncs.com 100.118.165.0
Indonesia (Jakarta) ap-southeast-5 ap-southeast-5.axt.aliyun.com 100.100.80.165
aliyun-client-assist-ap-southeast-5.oss-ap-southeast-5-internal.aliyuncs.com 100.100.16.5
Philippines (Manila) ap-southeast-6 ap-southeast-6.axt.aliyun.com 100.100.0.15
aliyun-client-assist-ap-southeast-6.oss-ap-southeast-6-internal.aliyuncs.com 100.115.16.209
India (Mumbai) ap-south-1 ap-south-1.axt.aliyun.com 100.100.80.108
aliyun-client-assist-ap-south-1.oss-ap-south-1-internal.aliyuncs.com 100.118.211.136
Japan (Tokyo) ap-northeast-1 ap-northeast-1.axt.aliyun.com 100.100.0.76
aliyun-client-assist-ap-northeast-1.oss-ap-northeast-1-internal.aliyuncs.com 100.100.40.129
US (Silicon Valley) us-west-1 us-west-1.axt.aliyun.com 100.100.29.34
aliyun-client-assist-us-west-1.oss-us-west-1-internal.aliyuncs.com 100.100.29.86
US (Virginia) us-east-1 us-east-1.axt.aliyun.com 100.100.152.140
aliyun-client-assist-us-east-1.oss-us-east-1-internal.aliyuncs.com 100.115.60.17
Germany (Frankfurt) eu-central-1 eu-central-1.axt.aliyun.com 100.100.46.12
aliyun-client-assist-eu-central-1.oss-eu-central-1-internal.aliyuncs.com 100.115.154.14
UK (London) eu-west-1 eu-west-1.axt.aliyun.com 100.100.0.20
aliyun-client-assist-eu-west-1.oss-eu-west-1-internal.aliyuncs.com 100.100.41.198
UAE (Dubai) me-east-1 me-east-1.axt.aliyun.com 100.100.43.7
aliyun-client-assist-me-east-1.oss-me-east-1-internal.aliyuncs.com 100.100.43.1
Russia (Moscow) rus-west-1 rus-west-1.axt.aliyun.com 100.100.0.4
aliyun-client-assist-rus-west-1.oss-rus-west-1-internal.aliyuncs.com 100.118.214.129
China East 2 Finance cn-shanghai-finance-1 cn-shanghai-finance-1.axt.aliyun.com 100.100.0.46
aliyun-client-assist-cn-shanghai-finance-1.oss-cn-shanghai-finance-1-internal.aliyuncs.com 100.100.36.8
China South 1 Finance cn-shenzhen-finance-1 cn-shenzhen-finance-1.axt.aliyun.com 100.103.0.140
aliyun-client-assist-cn-shenzhen-finance-1.oss-cn-shenzhen-finance-1-internal.aliyuncs.com 100.112.15.71
China North 2 Ali Gov 1 cn-north-2-gov-1 cn-north-2-gov-1.axt.aliyun.com 100.100.0.67
aliyun-client-assist-cn-north-2-gov-1.oss-cn-north-2-gov-1-internal.aliyuncs.com 100.100.49.4