Security groups act as virtual firewalls that provide stateful packet inspection (SPI) and packet filtering capabilities. By default, Elastic Compute Service (ECS) instances that belong to the same basic security group can access each other over all protocols and ports. Alibaba Cloud provides a variety of access control policies for you to isolate resources within a basic security group. You can configure internal isolation policies (internal access control policies that provide network isolation between resources) for security groups.

Internal isolation policies of security groups

The following default access control policies apply to instances within security groups:
  • Instances within the same basic security group can access each other over all protocols and ports. Instances within the same advanced security group are isolated from each other.
  • Instances within different security groups are isolated from each other.
    Note To allow ECS instances within different security groups to access each other, you can configure security group rules to allow mutual access between the security groups.

When you configure internal isolation policies for security groups, take note of the following items:

  • Internal isolation policies are configured only for specific basic security groups. These policies do not affect the effect of default access control policies on advanced security groups and other basic security groups.
  • Internal isolation policies of security groups provide network interface controller (NIC) level isolation between instances. If multiple elastic network interfaces (ENIs) are bound to an instance, you must configure internal isolation policies for the security groups to which each ENI belongs.
  • Internal isolation policies have the lowest priority. After you configure an internal isolation policy for a security group that contains no user-created rules, network isolation is provided between instances and between NICs within the security group. The priorities of user-created security group rules are higher than those of internal isolation policies.
    In the following cases, instances within an security group can still access each other after you configure an internal isolation policy for the security group:
    • The instances share multiple security groups, and one or more of the security groups do not have internal isolation policies.
    • An access control list (ACL) is configured to allow mutual access between instances within the security group.
      Note For more information about ACLs, see Overview of network ACLs.

Modify an internal access control policy

To isolate ECS instances within a basic security group from each other, you can use one of the following tools to modify the internal access control policy of the basic security group:
Note By default, ECS instances within an advanced security group are isolated from each other. The internal access control policies of advanced security groups cannot be modified.

Case analysis

In this example, Group1 and Group2 are basic security groups. ECS1, ECS2, and ECS3 are ECS instances. The following figure shows the relationships between the ECS instances and the security groups.ECS Instances and the security groups to which the ECS instances belong
  • Group1 contains ECS1 and ECS2 and has an internal isolation policy configured.
  • Group2 contains ECS2 and ECS3 and uses the default internal access control policy.
The following table describes whether the ECS instances are isolated from each other.
InstanceIsolatedDescription
ECS1 and ECS2YesECS1 and ECS2 belong to Group1. Group1 has an internal isolation policy configured. Therefore, ECS1 and ECS2 are isolated from each other.
ECS2 and ECS3NoECS2 and ECS3 belong to Group2. Group2 uses the default internal access control policy. Therefore, ECS2 and ECS3 can access each other.
ECS1 and ECS3YesECS1 and ECS3 belong to different security groups. By default, ECS instances within different security groups are isolated from each other. Therefore, ECS1 and ECS3 cannot access each other.