Action |
- Allow: allows access requests on a specific port.
- Forbid :denies access requests and drops data packets without returning a response.
If two security group rules differ only in their actions, the Forbid rule is used but the Allow rule is ignored.
|
Priority |
A smaller value indicates a higher priority. Valid values: 1 to 100. |
Protocol Type |
The protocol type of the security group rule. Valid values:
- All
- Custom TCP
- Customized UDP
- All ICMP (IPv4)
- All ICMP (IPv6)
- All GRE
|
Port Range |
You can specify a port range when Protocol Type is set to Custom TCP or Customized UDP. Enter one or more port ranges. Separate the port ranges with commas (,). Example:
22/23,443/443 .
For more information about the Protocol Type and Port Range parameters, see Common ports used by applications and What is the relationship between protocol types and port ranges in security group
rules?.
|
Authorization Object |
You can specify an authorization object of the following types:
- IP Address
You can enter individual IP addresses. Example: 192.168.0.100 or 2408:4321:180:1701:94c7:bc38:3bfa:.
- CIDR blocks
You can enter a CIDR block. Example: 192.168.0.0/24 or 2408:4321:180:1701:94c7:bc38:3bfa:***/128.
For more information about IP addresses and CIDR blocks, see the "What is the relationship
between the IP addresses and CIDR blocks specified as authorization objects of a security
group rule?" issue in What is the relationship between the IP addresses and CIDR blocks specified as authorization
objects of a security group rule?.
- Security groups
This authorization type is valid only for the internal network. You can specify a
security group in the current account or a different account as the authorization
object to allow mutual access between instances or elastic network interfaces (ENIs)
in that security group and instances in the current security group over the internal
network.
Note
- For advanced security groups, security groups are not supported as authorization objects.
- For each basic security group, a maximum of 20 security groups are supported as authorization
objects.
- Authorize the current account: Enter the ID of the security group that you want to
specify as the authorization object within the current account. If the current security
group is of the VPC type, the security group that you want to specify as the authorization
object must reside within the same VPC as the current security group.
- Authorize another account: Enter the ID of the different Alibaba Cloud account and
the ID of the security group to which you want to grant permissions in the
ID of the Alibaba Cloud account/ID of the security group format. You can choose to view your account ID.
- Prefix lists
A prefix list is a set of network prefixes (CIDR blocks). The prefix list feature
is supported only on security groups of the VPC type. After you reference a prefix
list in a security group rule, the rule applies to all CIDR blocks in the prefix list.
For more information, see Overview and Create a prefix list.
If a prefix list is referenced in a security group rule, the maximum number of entries
in the prefix list counts against the rule quota for the security group. For example,
assume that a prefix list can contain a maximum of 100 entries. If the prefix list
is referenced in a security group rule, the prefix list counts as 100 rules for the
security group regardless of the number of existing entries in the prefix list.
Take note of the following items:
- You can enter up to 10 authorization objects at a time. Separate the objects with
commas (,). Each authorization object corresponds to a rule. For example, if you add
10 authorization objects at a time, 10 rules are generated.
- If you enter
0.0.0.0/0 or ::/0 as an authorization object, all IP addresses are allowed. Evaluate the network risks
before you specify 0.0.0.0/0 or ::/0.
- For security reasons, we recommend that you select a security group for Authorization
Object when you add a public inbound rule to a security group of the classic network
type. If you want to specify IP addresses as authorization objects in security group
rules, enter individual IP addresses instead of CIDR blocks.
|
Description |
The description of the security group rule. |