This topic provides answers to frequently asked questions about the security of Elastic Compute Service (ECS) instances.

What is a security group?

A security group is a virtual firewall that controls inbound and outbound traffic for one or more ECS instances. Security groups logically isolate security domains in the cloud.

Each ECS instance must belong to at least one security group. When you create an ECS instance, you must specify a security group for the instance. Security groups are classified into basic and advanced security groups. For more information, see Overview.

Why must I select a security group when I create an ECS instance?

Rules are configured in security groups to control access to the security domains.

If you do not select a security group when you create an ECS instance, the instance is automatically assigned to the default security group. We recommend that you move the instance from the default security group to a security group that you created.

I have not created any security groups. Can I still create an ECS instance?

Yes, you can. If you do not have any existing security groups, the instance is automatically assigned to the default security group. The default security group allows traffic on common ports such as TCP port 22 and port 3389.

Why am I getting an error that says the maximum number of rules has been reached when I attempt to add ECS instances to a security group?

This error happens when the maximum number of security group rules that can be associated with the primary elastic network interface (ENI) of an ECS instance is exceeded. You can calculate the maximum value by using the following formula: Maximum number of security groups to which the instance can belong × Maximum number of rules in each security group.

If you are prompted with the Failed to join the security group. The number of security group rules that have acted on the instance has reached the upper limit message, the maximum number of security group rules applied to the instance has been reached. We recommend that you select another security group.

If I adjust the maximum number of security groups to which an ECS instance of the virtual private cloud (VPC) type can belong, does this adjustment take effect only on the security groups created after the number is adjusted?

No, the adjustment takes effect on all security groups to which ECS instances of the VPC type belong, regardless of when the security groups are created.

In what scenarios are the default security group rules used?

The default security group rules are used in the following scenarios:

  • If you have not created a security group when you create an ECS instance in a region for the first time in the ECS console, you can select the default security group created by the system. The default security group is a basic security group. The default security group uses default security rules. The default security rules are inbound rules that have a priority of 100 and grant access to all CIDR blocks (0.0.0.0/0). These rules allow inbound Internet Control Message Protocol (ICMP) traffic on all ports and inbound TCP traffic on SSH port 22 and Remote Desktop Protocol (RDP) port 3389. You can also choose to allow inbound traffic on HTTP port 80 and HTTPS port 443. All outbound traffic is allowed.
  • When you create a security group in the ECS console, the system creates default security group rules in the security group. These rules are inbound rules that grant access to all CIDR blocks (0.0.0.0/0). These rules allow inbound ICMP traffic on all ports, and inbound TCP traffic on SSH port 22, RDP port 3389, HTTP port 80, and HTTPS port 443.

How do ECS instances in different security groups communicate with each other over the internal network?

By default, instances in different security groups within the same account or different accounts are isolated from each other over the internal network. For more information about the use cases in which instances in different security groups can communicate with each other over the internal network, see Security group rules for instances within different security groups to communicate with each other and Configure interconnection of instances in the classic network.

How are ECS instances in the same security group isolated from each other over the internal network?

By default, ECS instances in the same basic security group can communicate with each other over all protocols and ports. You can modify the internal access control policies of basic security groups to isolate instances in the security groups. For more information, see Network isolation within a basic security group.

Why am I unable to access services after I configure a security group?

When traffic on a port is allowed by a security group rule in the ECS console, access to and from the port is not restricted but this does not indicate that this port is enabled. To allow Internet access to a port of an ECS instance, make sure that the following requirements are met:
  • Traffic on the port is allowed by a security group rule.
  • The software that listens to the port is in the running state and has a listening address of 0.0.0.0. You can run the netstat -ano |findstr <Port number> command to check whether the port is in the listening state.
  • The internal firewall of the instance is disabled, or traffic on the port is allowed by the firewall.

How do I add an ENI to a security group?

You can change the security group of a primary ENI by changing the security group of the ECS instance to which the ENI is bound. You can also change the security group to which a secondary ENI belongs by modifying the attributes of the ENI. For more information, see Modify an ENI.

In what scenarios must I add security group rules?

We recommend that you add security group rules to ensure that your ECS instance can be accessed in the following scenarios:

  • The security group to which your ECS instance belongs does not contain custom or default security group rules. Your ECS instance needs to access the Internet or another ECS instance in a different security group within the same region.
  • The application deployed on your ECS instance uses a specified port or port range instead of the default port. In this case, you must allow the specified port or port range before you can check whether the application is connected. For example, you have deployed the NGINX service and want to set TCP port 8000 as the listening port but your security group allows only port 80. In this case, you must add a security rule to ensure that the NGINX service is accessible.
  • For information about other scenarios, see Security groups for different use cases.

What is the relationship between protocol types and port ranges in security group rules?

You must specify a communication port or port range when you add security group rules to a security group. The security group can determine whether to allow traffic destined for ECS instances based on the Allow or Forbid rules.

The following table describes the relationship between protocol types and port ranges in security group rules. For more information about commonly used ports, see Common ports used by applications.
Protocol type Port range Scenario
All -1/-1 is displayed, which indicates all ports. You cannot configure a port range for this protocol type. It can be used in all trusted scenarios.
All ICMP (IPv4) -1/-1 is displayed, which indicates all ports. You cannot configure a port range for this protocol type. It can be used when you run the ping command to check the state of network connections between ECS instances.
All GRE -1/-1 is displayed, which indicates all ports. You cannot configure a port range for this protocol type. It can be used for VPN.
Custom TCP A custom port range. Valid values of port numbers: 1 to 65535.

You must use the <start port>/<end port> format to specify a port range or a single port. For example, 80/80 indicates port 80, and 1/22 indicates ports 1 to 22.

It can be used to allow or deny traffic on a single port or a range of ports.
Custom UDP A custom port range. Valid values of port numbers: 1 to 65535.

You must use the <start port>/<end port> format to specify a port range or a single port. For example, 80/80 indicates port 80, and 1/22 indicates ports 1 to 22.

It can be used to allow or deny traffic on a single port or a range of ports.
The following table describes the common scenarios in which TCP ports are used.
Scenario Protocol type Port range Description
Connection to a server SSH 22/22 It can be used to connect to a Linux instance. After you connect to the instance, you can modify the port number. For more information, see Modify the default port used by an instance to accept connections.
TELNET 23/23 It can be used to connect to an instance.
RDP 3389/3389 It can be used to connect to a Windows instance. After you connect to the instance, you can modify the port number. For more information, see Modify the default port used by an instance to accept connections.
Website service HTTP 80/80 It can be used when an instance serves as a website server or web application server.
HTTPS 443/443 It can be used when an instance serves as a website server or web application server that supports HTTPS.
Database MS SQL 1433/1433 It can be used when an instance serves as an MS SQL server.
Oracle 1521/1521 It can be used when an instance serves as an Oracle SQL server.
MySQL 3306/3306 It can be used when an instance serves as a MySQL server.
PostgreSQL 5432/5432 It can be used when an instance serves as a PostgreSQL server.
Redis 6379/6379 It can be used when an instance serves as a Redis server.

What is the relationship between the IP addresses and CIDR blocks specified as authorization objects in security group rules?

IP addresses are individual IP addresses. Example: 192.168.0.100 or 2408:4321:180:1701:94c7:bc38:3bfa:. CIDR blocks are IP address ranges. Example: 192.168.0.0/24 or 2408:4321:180:1701:94c7:bc38:3bfa:***/128.

CIDR is an addressing scheme for the Internet that allows for IP addresses to be assigned in a more efficient manner than the traditional scheme based on classes A, B, and C. CIDR notation is used to denote IP addresses and IP ranges. It consists of an IP address and a forward slash followed by a decimal number that denotes how many bits are in the network prefix.

  • Example 1: Convert a CIDR block into an IP address range

    For example, you can convert the 10.0.0.0/8 CIDR block into a 32-bit binary IP address of 00001010.00000000.00000000.00000000. In this CIDR block, /8 represents an 8-bit network ID. The first 8 bits of the 32-bit binary IP address are fixed, and the corresponding IP addresses are from 00001010.00000000.00000000.00000000 to 00001010.11111111.11111111.11111111. After you convert the preceding IP addresses into IP addresses in the decimal format, the 10.0.0.0/8 CIDR block indicates the IP addresses from 10.0.0.0 to 10.255.255.255 with a subnet mask of 255.0.0.0.

  • Example 2: Convert an IP address range into a CIDR block

    For example, you have a range of IP addresses from 192.168.0.0 to 192.168.31.255. You can convert the last two parts of the first and last IP addresses to binary numbers from 00000000.00000000 to 00011111.11111111. The first 19 (8 × 2 + 3) bits are fixed. After you convert the IP addresses to IP addresses in the CIDR format, the corresponding CIDR block is 192.168.0.0/19.

Why am I unable to access TCP port 25?

TCP port 25 is the default email service port. For security reasons, TCP port 25 is disabled for ECS instances by default. We recommend that you use port 465 to send emails. For more information, see Security groups for different use cases.

Why am I unable to access TCP port 80?

For information about how to troubleshoot problems related to port 80, see Check whether TCP port 80 is available.

Why have several internal security group rules been automatically added to my security group?

Rules may be automatically added to your security group in one of the following situations:

  • You have accessed Data Management.
  • You have migrated data by using Alibaba Cloud Data Transmission Service (DTS). The rules associated with the IP addresses of DTS servers are automatically added to your security group.

What happens if a security group rule is incorrectly configured?

If a security group rule is incorrectly configured, the ECS instances associated with this rule are unable to communicate with other devices over the internal network or the Internet.
  • Linux ECS instances cannot be connected to by using SSH, and Windows ECS instances cannot be connected to by using the Remote Desktop Protocol (RDP).
  • The public IP addresses of ECS instances cannot be pinged.
  • The web services provided by the ECS instances cannot be accessed over HTTP or HTTPS.
  • ECS instances associated with this rule cannot communicate with other ECS instances over the internal network.

Are the inbound and outbound rules in a security group separately counted?

No, the inbound and outbound rules in a security group are counted together. The total number of inbound and outbound rules in each security group cannot exceed 200. For more information, see Limits.

Can I adjust the maximum number of rules that can be added to a security group?

No, you cannot adjust the maximum number of rules that can be added to a security group. Each security group can contain a maximum of 200 security group rules. Each ENI of an ECS instance can be added to up to five security groups. This allows each ENI of an ECS instance to be associated with up to 1,000 security group rules. This is sufficient for most use cases.

If you have reached the maximum number of rules in a security group but you want to add more rules, perform the following steps:
  1. Check whether redundant rules exist. You can also submit a ticket to obtain help from Alibaba Cloud in checking for redundant rules.
  2. If redundant rules exist, delete them. If no redundant rules exist, create more security groups.

If you have activated Cloud Firewall, you can configure access control policies on VPC firewalls to control traffic between VPCs. This way, fewer ECS security group rules are required. For more information about how to configure access control policies on VPC firewalls, see Create an access control policy for a VPC firewall.

How are my created security group rules prioritized?

The priority ranges from 1 to 100. A smaller value indicates a higher priority.

For security group rules of the same type, the rule that has the highest priority is applied. If an ECS instance belongs to multiple security groups, the security group rules of these security groups are applied to the instance in descending order of priority. Security group rules are applied based on the following principles:
  • If two security group rules differ only in the authorization policy, the Forbid policy is applied and the Allow policy is not.
  • If two security group rules differ only in the priority, the rule with a higher priority is applied.

What can I do if I receive a notification that my website has been blocked due to illegal activities and must be rectified?

You can check the records of harmful Internet information to view domain names or URLs that contain harmful information, penalty actions, reasons, and duration. When you are sure that the harmful information from your domain name or URL has been cleared or does not exist, you can apply to unblock the domain name or URL. For more information, see View harmful Internet information.

What can I do if I receive a notification that my website has been penalized for malicious behavior?

You can check the penalty records to view the details about penalty actions, reasons, and duration. If you do not agree with the penalty, provide your feedback and file an appeal. After Alibaba Cloud receives your feedback on the penalty, Alibaba Cloud checks the penalty and determines whether the penalty is appropriate and whether to uphold or rescind the penalty. For more information, see View the penalty list.

How can I view the resource quota?

For more information about how to view the limits and quotas of resources, see Limits.