This topic describes how to configure security group rules for common scenarios (such as scenarios where a website deployed on your instance needs to provide external web services or where you want to connect to your instance from an on-premises server) based on security group characteristics in Elastic Compute Service (ECS).
Background information
Take note of the following items about security group rules:
- In security groups of the Virtual Private Cloud (VPC) type, each rule controls access to or from both the Internet and the internal network. In security groups of the classic network type, public rules (Internet ingress and Internet egress rules) control access to or from the Internet, whereas internal rules (inbound and outbound rules) control access to or from the internal network.
- All example rules described in this topic are configured for the default ports used by typical applications. Applications deployed on instances use ports of the instances to provide external services. For more information, see Common ports used by applications.
Security group rules for websites to provide web services
Security groups that contain no rules deny all inbound access. If a website deployed
on your instance needs to provide external web services, you must add the security
group rules described in the following table to allow inbound access to the required
ports such as ports 80 (HTTP) and 443 (HTTPS).
| Direction | Action | Priority | Protocol type | Port range | Authorization object |
|---|---|---|---|---|---|
| Inbound | Allow | 1 | Custom TCP | Destination: 80/80 | Source: 0.0.0.0/0 |
| Inbound | Allow | 1 | Custom TCP | Destination: 443/443 | Source: 0.0.0.0/0 |
Note If the website still cannot be accessed after the preceding rules are added, troubleshoot
the problem. For more information, see Check whether TCP port 80 is available.
Security group rules for connecting to an instance from an on-premises server
Security groups that contain no rules deny all inbound access. Before you can connect
to an instance from an on-premises server, you must add security group rules to allow
inbound access to the required ports based on your connection method. For example,
to connect to a Linux instance by using Secure Shell (SSH), you must add a rule that
allows inbound SSH access to port 22. To connect to a Windows instance by using the
Remote Desktop Protocol (RDP), you must add a rule that allows inbound RDP access
to port 3389. The following table describes the example rules.
| Direction | Action | Priority | Protocol type | Port range | Authorization object |
|---|---|---|---|---|---|
| Inbound | Allow | 1 | Custom TCP | Destination: 22/22 | Source: 0.0.0.0/0 |
| Inbound | Allow | 1 | Custom TCP | Destination: 3389/3389 | Source: 0.0.0.0/0 |
Note
0.0.0.0/0 indicates all IP addresses. For security purposes, we recommend that you specify
specific IP addresses as authorization objects based on the principle of least privilege.
When you use Alibaba Cloud Workbench to connect to an instance, you must add security
group rules to allow access to specified servers. The following table describes the
example rules.
| Direction | Action | Priority | Protocol type | Port range | Authorization object |
|---|---|---|---|---|---|
| Inbound | Allow | 1 | Custom TCP | Destination: 22/22 |
Source: 161.117.90.22/32 |
| Inbound | Allow | 1 | Custom TCP | Destination: 3389/3389 |
Source: 161.117.90.22/32 |
Note For more information about the security group rules used to allow Workbench access
to instances in the classic network, see the "Add security group rules to allow Workbench
access to a Linux instance" section in Connect to a Linux instance by using a password or key and the "Add security group rules to allow Workbench access to a Windows instance"
section in Connect to a Windows instance by using a password or key.
Security group rules for instances within different security groups to communicate with each other
Instances within different security groups that contain no rules are isolated from
each other over the internal network. If you want to share data between instances
from different security groups within the same VPC (for example, if you want instances
within Security Group A to access shared files on instances within Security Group
B over FTP), you can add rules to allow mutual access between the security groups
over the internal network. This is more convenient than adding rules to allow access
to or from individual IP addresses or CIDR blocks.
Note This method does not work for instances that reside within different VPCs. You can
use Cloud Enterprise Network (CEN) to connect instances within a VPC to those within
another VPC. For more information, see Overview.
If Security Group A and Security Group B belong to the same Alibaba Cloud account,
you must specify the ID of Security Group A as the authorization object when you add
a rule to Security Group B to allow inbound access from Security Group A. The following
table describes an example rule.
| Direction | Action | Priority | Protocol type | Port range | Authorization object |
|---|---|---|---|---|---|
| Inbound | Allow | 1 | Custom TCP | Destination: 21/21 | Source: sg-bp1hv6wvmegs036**** |
Note The security group ID provided in the preceding table is for reference only. Replace
it with the actual security group ID.
If Security Group A and Security Group B do not belong to the same Alibaba Cloud account,
you must specify the ID of Security Group A and the ID of its associated Alibaba Cloud
account as the authorization object when you add a rule to Security Group B to allow
inbound access from Security Group A. The following table describes an example rule.
| Direction | Action | Priority | Protocol type | Port range | Authorization object |
|---|---|---|---|---|---|
| Inbound | Allow | 1 | Custom TCP | Destination: 21/21 | Source: 160998252992****/sg-bp174yoe2ib1sqj5**** |
Note The Alibaba Cloud account ID and the security group ID provided in the preceding table
are for reference only. Replace them with the actual IDs.
Security group rules for access to databases
If you have deployed databases on your instance and want other instances to obtain
data from the databases over the internal network, you must add rules to allow inbound
access to the required ports based on the database types, such as port 3306 (MySQL),
port 1521 (Oracle), port 1433 (MS SQL), port 5432 (PostgreSQL), and port 6379 (Redis).
The following table describes the example rules.
| Direction | Action | Priority | Protocol type | Port range | Authorization object |
|---|---|---|---|---|---|
| Inbound | Allow | 1 | Custom TCP | Destination: 3306/3306 | Source: 172.16.XX.XX.XX |
| Inbound | Allow | 1 | Custom TCP | Destination: 1521/1521 | Source: 192.168.XX.XX |
| Inbound | Allow | 1 | Custom TCP | Destination: 1433/1433 | Source: 192.168.XX.XX/16 |
| Inbound | Allow | 1 | Custom TCP | Destination: 5432/5432 | Source: sg-bp1hv6wvmegs036**** |
| Inbound | Allow | 1 | Custom TCP | Destination: 6379/6379 | Source: 160998252992****/sg-bp174yoe2ib1sqj5**** |
Note The IP addresses, CIDR block, Alibaba Cloud account ID, and security group IDs provided
in the preceding table are for reference only. Replace them with actual information.
Security group rules for pinging instances
The Internet Control Message Protocol (ICMP) is used to transmit control messages.
You must add rules to allow inbound ICMP access before you can perform specific test
operations, such as running the ping command on a client to ping your instance. The
following table describes the example rules.
| Direction | Action | Priority | Protocol type | Port range | Authorization object |
|---|---|---|---|---|---|
| Inbound | Allow | 1 | All ICMP (IPv4) | Destination: -1/-1 | Source: 0.0.0.0/0 |
| Inbound | Allow | 1 | All ICMP (IPv6) | Destination: -1/-1 | Source: ::/0 |
Security group rules for restricting access from instances to external websites
By default, basic security groups allow all outbound access. To allow instances within
a basic security group access only to specific websites, you can use the security
group as a whitelist and add a Forbid rule that denies all outbound access and then
Allow rules that allow outbound access to the IP addresses of the websites. Take note
of the following items:
- After multiple rules match the request based on their protocols, port ranges, and authorization objects, the request is further matched against the priorities and actions of these rules to determine a single rule to apply. No session is established until an Allow rule is matched and applied.
- A smaller value of the priority of the security group rule indicates a higher priority. If two security group rules have the same priority and are different only in the action, the Forbid rule takes effect. Therefore, the priority of the Forbid rule must be lower than that of the Allow rule. This way, the Allow rule takes effect to allow outbound access to the IP addresses of the specified websites.
| Direction | Action | Priority | Protocol type | Port range | Authorization object |
|---|---|---|---|---|---|
| Outbound | Forbid | 2 | All | Destination: -1/-1 | Destination: 0.0.0.0/0 |
| Outbound | Allow | 1 | Custom TCP | Destination: 80/80 | Destination: 47.96.XX.XX |
| Outbound | Allow | 1 | Custom TCP | Destination: 443/443 | Destination: 121.199.XX.XX |
Note The IP addresses of the websites provided in the preceding table are for reference
only. Replace them with the actual IP addresses of your websites.
After the rules are added, you can log on to your instance to perform tests, such as running the ping command. If your instance can access only the specified IP addresses, the security group rules have taken effect.