The rules of a security group control the inbound or outbound traffic to or from the instances in the security group.
Attributes of security group rules
Attribute | Description |
---|---|
Direction | The direction of the rule. The network types of security groups affect rule directions.
Access requests are matched against inbound and outbound rules based on different
attributes.
Note By default, security group rules are created in the Elastic Compute Service (ECS)
console based on 3-tuples. To implement finer-grained access control, you can call
API operations to create rules to allow or deny access based on 5-tuples: source IP
address, source port number, destination IP address, destination port number, and
transport layer protocol. For more information, see Security group quintuple rules.
|
Action | The action of the rule. You can set the action to Allow or Forbid. If two security group rules are different only in the action, the Forbid rule takes effect. |
Priority | The priority of the rule. The priority ranges from 1 to 100. A smaller value indicates a higher priority. |
Protocol type | The transport layer protocol. TCP, User Datagram Protocol (UDP), Internet Control Messages Protocol version 4 (ICMPv4), ICMP version 6 (ICMPv6), and Generic Routing Encapsulation (GRE) are supported. |
Port range | The range of destination ports for inbound or outbound traffic. You can specify single port numbers or a range of port numbers. For information about the default ports used by typical applications, see Common ports used by applications. |
Authorization object | The source for inbound traffic or the destination for outbound traffic. You can specify
the following items as authorization objects:
|
Procedure to filter access requests based on security group rules
If an instance is assigned to multiple security groups, the rules of all the security groups are applied to the instance. When an access request destined for the instance is detected, the request is matched against each rule one by one. If multiple rules match the request based on their protocols, port ranges, and authorization objects, the request is further matched against the priorities and actions of these rules to determine a single rule to apply. No session is established until an Allow rule is matched and applied.
You can add or modify rules of a security group. The new or modified rules are automatically applied to the instances in the security group.- The following flowchart shows how the rules of a basic security group control access
from an on-premises server to an instance in the security group.
- The following flowchart shows how the rules of a basic security group control access
from an instance in the security group to an on-premises server.
Example security group rules
Direction | Action | Priority | Protocol type | Port range | Authorization object |
---|---|---|---|---|---|
Inbound | Allow | 1 | Custom TCP | Destination: 22/22 | Source: 0.0.0.0/0 |
0.0.0.0/0
indicates all IP addresses. For security purposes, we recommend that you specify
specific IP addresses as authorization objects based on the principle of least privilege.
Direction | Action | Priority | Protocol type | Port range | Authorization object |
---|---|---|---|---|---|
Outbound | Forbid | 100 | All | Destination: -1/-1 | Destination: 0.0.0.0/0 |
For information about more example security group rules, see Security groups for different use cases.