The rules of a security group control the inbound or outbound traffic to or from the instances in the security group.

Attributes of security group rules

To add or modify a security group rule, you must configure the attributes described in the following table.
Attribute Description
Direction The direction of the rule. The network types of security groups affect rule directions.
  • In a security group of the Virtual Private Cloud (VPC) type, rules are classified as inbound or outbound and each rule controls access to or from both the Internet and internal network.
  • In a security group of the classic network type, rules are classified as public inbound (Internet ingress), public outbound (Internet egress), internal inbound (inbound), or internal outbound (outbound). Public inbound and outbound rules control access to and from the Internet. Internal inbound and outbound rules control access to and from the internal network.
Access requests are matched against inbound and outbound rules based on different attributes.
  • Inbound access requests are matched against inbound rules based on their transport layer protocols, destination port numbers, and source IP addresses. An inbound rule matches an inbound access request when they have the same transport layer protocol, destination port number, and source IP address.
  • Outbound access requests are matched against outbound rules based on their transport layer protocols, destination port numbers, and destination IP addresses. An outbound rule matches an outbound access request when they have the same transport layer protocol, destination port number, and destination IP address.
Note By default, security group rules are created in the Elastic Compute Service (ECS) console based on 3-tuples. To implement finer-grained access control, you can call API operations to create rules to allow or deny access based on 5-tuples: source IP address, source port number, destination IP address, destination port number, and transport layer protocol. For more information, see Security group quintuple rules.
Action The action of the rule. You can set the action to Allow or Forbid. If two security group rules are different only in the action, the Forbid rule takes effect.
Priority The priority of the rule. The priority ranges from 1 to 100. A smaller value indicates a higher priority.
Protocol type The transport layer protocol. TCP, User Datagram Protocol (UDP), Internet Control Messages Protocol version 4 (ICMPv4), ICMP version 6 (ICMPv6), and Generic Routing Encapsulation (GRE) are supported.
Port range The range of destination ports for inbound or outbound traffic. You can specify single port numbers or a range of port numbers. For information about the default ports used by typical applications, see Common ports used by applications.
Authorization object The source for inbound traffic or the destination for outbound traffic. You can specify the following items as authorization objects:
  • Single IP addresses. Example: 192.168.0.100 or 2408:4321:180:1701:94c7:bc38:3bfa:.
  • Classless Inter-domain Routing (CIDR) blocks. Example: 192.168.0.0/24 or 2408:4321:180:1701:94c7:bc38:3bfa:***/128.
  • Other security groups. A rule that includes another security group as the authorization object controls mutual access between the instances in that security group and the instances in the current security group over the internal network. When you configure a rule in a security group, you can specify a different security group within the same or another Alibaba Cloud account as the authorization object.
    Note Security groups can be specified as authorization objects only in rules of basic security groups.
  • Prefix lists. A prefix list is a set of one or more CIDR blocks. If a prefix list is specified as the authorization object in a security group rule, the rule is applied to all CIDR blocks included in the prefix list. Example: 192.168.0.0/24,172.16.0.0/16.

Procedure to filter access requests based on security group rules

If an instance is assigned to multiple security groups, the rules of all the security groups are applied to the instance. When an access request destined for the instance is detected, the request is matched against each rule one by one. If multiple rules match the request based on their protocols, port ranges, and authorization objects, the request is further matched against the priorities and actions of these rules to determine a single rule to apply. No session is established until an Allow rule is matched and applied.

You can add or modify rules of a security group. The new or modified rules are automatically applied to the instances in the security group.
An on-premises server and instances in a basic security group are used in the following flowcharts to show how to filter access requests based on security group rules. In the flowcharts, if a security group contains no rules, it indicates that all user-created and default rules have been deleted from the security group.
Note When a security group is created in the ECS console, default rules are automatically added to the security group. For information about default rules, see Default security groups and Security groups and security group rules.
  • The following flowchart shows how the rules of a basic security group control access from an on-premises server to an instance in the security group. inbound
  • The following flowchart shows how the rules of a basic security group control access from an instance in the security group to an on-premises server. outbound

Example security group rules

To use an SSH key pair to connect to a Linux instance, make sure that the security group of the instance contains a rule to allow inbound SSH access to the required port. The following table describes an example rule that allows inbound SSH access to port 22 in a security group of the VPC type.
Direction Action Priority Protocol type Port range Authorization object
Inbound Allow 1 Custom TCP Destination: 22/22 Source: 0.0.0.0/0
Note 0.0.0.0/0 indicates all IP addresses. For security purposes, we recommend that you specify specific IP addresses as authorization objects based on the principle of least privilege.
Basic security groups to which no user-created rules are added allow all outbound access. If you want to use a basic security group as a whitelist, you can add a rule to deny all outbound access. The following table describes an example rule that is added to a security group of the VPC type to deny all outbound access.
Direction Action Priority Protocol type Port range Authorization object
Outbound Forbid 100 All Destination: -1/-1 Destination: 0.0.0.0/0

For information about more example security group rules, see Security groups for different use cases.