A security group acts as a virtual firewall that is used to control access to and from Elastic Compute Service (ECS) instances. Each instance must belong to at least one security group. This topic describes how to create a security group and configure security group rules in the ECS console.

Prerequisites

A virtual private cloud (VPC) and a vSwitch are already created if you want to create a security group of the VPC type. For more information, see Create and manage a VPC.

Background information

If you do not create a security group when you create an ECS instance, a default security group is created. The default security group contain the following default rules:
  • An inbound rule that allows Internet Control Message Protocol (ICMP) traffic to support operations such as pinging the ECS instance.
  • An inbound rule that allows traffic on SSH port 22 and Remote Desktop Protocol (RDP) port 3389 to access the ECS instance.
  • An optional inbound rule that allows traffic on HTTP port 80 and HTTPS port 443. If you want to build websites by using the ECS instance, you must select HTTP port 80 and HTTPS port 443 to create the rule in the default security group.

If you want to add an ECS instance to a user-created security group, you can perform the following operations to create a security group. For more information, see Overview.

Procedure

  1. Go to the Security Groups page.
    1. Log on to the ECS console.
    2. In the left-side navigation pane, choose Network & Security > Security Groups.
    3. In the top navigation bar, select a region.
  2. Click Create Security Group.
  3. In the Basic Information section, configure the parameters described in the following table.
    Parameter Description
    Security Group Name Specify a name for the security group.
    Description Enter a brief description of the security group for future management.
    Network Set the network type of the security group.
    • To create a security group of the VPC type, select an existing VPC.
    • To create a security group of the classic network type, select Classic Network.
    Security Group Type Select a security group type.
    • Basic Security Group: applicable to scenarios that involve small clusters and require moderate network connections.
    • Advanced Security Group: applicable to scenarios that involves large-scale clusters and require highly efficient O&M.

    For information about other functional differences between basic and advanced security groups, see Overview.

    Resource group Select a resource group to which to assign the security group to facilitate subsequent O&M.
    Tags Configure tags for the security group to facilitate subsequent O&M.
  4. Optional:In the Access Rule section, configure security group rules.
    The system adds default security group rules that have the basic configurations. To add user-created security group rules, perform the following operations. For more information, see Add a security group rule.
    1. Click the Inbound or Outbound tab to select the security group rule direction.
      Network type Rule direction
      VPC
      • Inbound: controls inbound traffic from both the Internet and internal networks.

        By default, inbound rules are added to allow ICMP traffic and traffic on SSH port 22, RDP port 3389, HTTP port 80, and HTTPS port 443.

      • Outbound: controls outbound traffic to both the Internet and internal networks.

        By default, basic security groups allow all outbound access, and advanced security groups deny all outbound access.

      Classic network
      • Internet Ingress: For security reasons, we recommend that you select a security group for Authorization Object when you add a public inbound rule to a security group of the classic network type. If you want to control access from IP addresses, enter individual IP addresses instead of CIDR blocks.
      • Internet Egress: By default, all outbound access to the Internet is allowed.
      • Inbound: By default, the internal inbound rules are added to allow ICMP traffic and traffic on SSH port 22, RDP port 3389, HTTP port 80, and HTTPS port 443.
      • Outbound: By default, all inbound access from the internal network is allowed
    2. Click Add Rule.
    3. Add user-created security group rules.
      Parameter Description
      Action
      • Allow: allows access requests on a specific port.
      • Forbid :denies access requests and drops data packets without returning a response.

      If two security group rules differ only in their actions, the Forbid rule is used but the Allow rule is ignored.

      Priority A smaller value indicates a higher priority. Valid values: 1 to 100.
      Protocol Type The protocol type of the security group rule. Valid values:
      • All
      • Custom TCP
      • Customized UDP
      • All ICMP (IPv4)
      • All ICMP (IPv6)
      • All GRE
      Port Range You can specify a port range when Protocol Type is set to Custom TCP or Customized UDP. Enter one or more port ranges. Separate the port ranges with commas (,). Example: 22/23,443/443.

      For more information about the Protocol Type and Port Range parameters, see Common ports used by applications and What is the relationship between protocol types and port ranges in security group rules?.

      Authorization Object You can specify an authorization object of the following types:
      • IP Address

        You can enter individual IP addresses. Example: 192.168.0.100 or 2408:4321:180:1701:94c7:bc38:3bfa:.

      • CIDR blocks

        You can enter a CIDR block. Example: 192.168.0.0/24 or 2408:4321:180:1701:94c7:bc38:3bfa:***/128. For more information about IP addresses and CIDR blocks, see the "What is the relationship between the IP addresses and CIDR blocks specified as authorization objects of a security group rule?" issue in What is the relationship between the IP addresses and CIDR blocks specified as authorization objects of a security group rule?.

      • Security groups
        This authorization type is valid only for the internal network. You can specify a security group in the current account or a different account as the authorization object to allow mutual access between instances or elastic network interfaces (ENIs) in that security group and instances in the current security group over the internal network.
        Note
        • For advanced security groups, security groups are not supported as authorization objects.
        • For each basic security group, a maximum of 20 security groups are supported as authorization objects.
        • Authorize the current account: Enter the ID of the security group that you want to specify as the authorization object within the current account. If the current security group is of the VPC type, the security group that you want to specify as the authorization object must reside within the same VPC as the current security group.
        • Authorize another account: Enter the ID of the different Alibaba Cloud account and the ID of the security group to which you want to grant permissions in the ID of the Alibaba Cloud account/ID of the security group format. You can choose Account Management > Basic Information to view your account ID.
      • Prefix lists

        A prefix list is a set of network prefixes (CIDR blocks). The prefix list feature is supported only on security groups of the VPC type. After you reference a prefix list in a security group rule, the rule applies to all CIDR blocks in the prefix list. For more information, see Overview and Create a prefix list.

        If a prefix list is referenced in a security group rule, the maximum number of entries in the prefix list counts against the rule quota for the security group. For example, assume that a prefix list can contain a maximum of 100 entries. If the prefix list is referenced in a security group rule, the prefix list counts as 100 rules for the security group regardless of the number of existing entries in the prefix list.

      Take note of the following items:
      • You can enter up to 10 authorization objects at a time. Separate the objects with commas (,). Each authorization object corresponds to a rule. For example, if you add 10 authorization objects at a time, 10 rules are generated.
      • If you enter 0.0.0.0/0 or ::/0 as an authorization object, all IP addresses are allowed. Evaluate the network risks before you specify 0.0.0.0/0 or ::/0.
      • For security reasons, we recommend that you select a security group for Authorization Object when you add a public inbound rule to a security group of the classic network type. If you want to specify IP addresses as authorization objects in security group rules, enter individual IP addresses instead of CIDR blocks.
      Description The description of the security group rule.
  5. Click Create Security Group.

Result

After the security group is created, the security group is displayed on the Security Groups page. Security group creation result

What to do next