A security group acts as a virtual firewall to control the inbound and outbound traffic of Elastic Compute Service (ECS) instances to improve security. Security groups provide Stateful Packet Inspection (SPI) and packet filtering capabilities. You can use security groups and security group rules to define security domains in the cloud.

Security groups and security group rules

Security groups are classified into basic security groups and advanced security groups. Advanced security groups are suitable for enterprise-level scenarios and can contain more instances, elastic network interfaces (ENIs), and private IP addresses and implement more rigorous levels of access control than basic security groups.

  • The following rules apply when you add instances to security groups:
    • Each instance must belong to one or more security groups.
    • The secondary ENIs that are attached to an instance can be assigned to security groups different from those of the instance.
    • An instance cannot belong to a basic security group and an advanced security group at the same time.
  • Security groups can control inbound and outbound traffic even before you manually add rules to the security groups. You can manually add and modify the rules of security groups to implement finer-grained traffic control. After rules are added to a security group or after rules in the security group are modified, the rules are automatically applied to instances in the security group. Security group rules can be used to control access to or from specific IP addresses, CIDR blocks, security groups, or prefix lists. For more information, see Add a security group rule.
  • When you create security groups in the ECS console, default rules are automatically added to the security groups. You can maintain the rules based on your needs.
    Note
    • When you create security groups by calling API operations, no default rules are added to the security groups.
    • Security groups are stateful. The maximum session timeout period for a security group is 910 seconds. After instances in a security group can be accessed and sessions are established between the instances, the security group allows traffic in both directions during the same session. For example, if a request traffic during a session is allowed to flow in, the corresponding response traffic is also allowed to flow out.

The following table describes the differences between basic and advanced security groups.

Comparison item Basic security group Advanced security group
Supported network type Virtual Private Cloud (VPC) and classic network VPC
Support for all instance types Yes No, only instance types that use VPC are supported.
Number of private IP addresses supported in the classic network 1,000 The classic network is not supported.
Number of private IP addresses supported in VPCs 2,000 65,536
Support for adding security group rules that allow or deny access Yes Yes
Support for specifying policy priority Yes Yes
As the authorization objects of security group rules for other security groups Supported Not supported
Network communication policy for instances within the same security group when no security group rules are added
  • Instances and ENIs in the same basic security group can communicate with each other over the internal network. The internal communication has a higher priority than other communications controlled by using custom rules.
  • Instances and ENIs in a basic security group are isolated from instances and ENIs in a different basic security group over the internal network.
  • By default, all inbound access requests are denied.
The following Figure 1 shows how access is controlled by a basic security group that has no rules.
  • Instances and ENIs in the same advanced security group are isolated from each other over the internal network.
  • Instances and ENIs in an advanced security group are isolated from instances and ENIs in a different advanced security group over the internal network.
  • By default, all access requests are denied.
The following Figure 1 shows how access is controlled by an advanced security group that has no rules.
Default rules when a security group is created in the ECS console
  • Inbound: four inbound rules that allow TCP access from all IP addresses to ports 80 (HTTP), 443 (HTTPS), 22 (SSH), and 3389 (RDP) and one inbound rule that allows Internet Control Message Protocol version 4 (ICMPv4) access from all IP addresses to all ports.
  • Outbound: none.
The following Figure 2 shows how access is controlled by a basic security group that has default rules.
  • Inbound: four inbound rules that allow TCP access from all IP addresses to ports 80 (HTTP), 443 (HTTPS), 22 (SSH), and 3389 (RDP) and one inbound rule that allows Internet Control Message Protocol version 4 (ICMPv4) access from all IP addresses to all ports.
  • Outbound: one outbound rule that allows access from all IP addresses to all ports corresponding to all protocols to prevent network connectivity issues.
The following Figure 3 shows how access is controlled by an advanced security group that has default rules.

For information about the limits marked with , , and , see Security group limits.

Figure 1. Access request control of security groups that have no rules
Access request control of security groups that have no rules
Figure 2. Access request control of basic security groups that have default rules
Access request control of basic security groups
Figure 3. Access request control of advanced security groups that have default rules
Access request control of advanced security groups

If an instance is assigned to multiple security groups, the rules of all the security groups are applied to the instance. When an access request destined for the instance is detected, the request is matched against applied security group rules one by one based on the rule attributes such as protocol, port range, and priority. No sessions are established until an Allow rule matches the request. For more information about the attributes and examples of security group rules, see Overview.

Work with security groups

You can perform the following operations to use security groups to control traffic for instances:
  1. Create security groups.
  2. Add rules to the security groups.
  3. Add instances to the security groups.
  4. Manage existing security groups and security group rules based on your needs.
You can perform the following operations to use security groups to control traffic for secondary ENIs:
  1. Create security groups.
  2. Add rules to the security groups.
  3. Add secondary ENIs to the security groups.
  4. Bind the secondary ENIs to instances.
  5. Manage existing security groups and security group rules based on your needs.

For information about how to perform operations on security groups and use cases of security groups, see Manage security groups and Security groups for different use cases.

Default security groups

Each instance must belong to one or more security groups. When you use the ECS console to create instances within a region in which you have not created security groups, you can use the default security group. The system creates a default security group when it creates the instances that you request. The network type of the security group is the same as that of the instances. The default security group is a basic security group that has default rules, as shown in the following figure. Default security groups
Description of default rules:
  • The rules have a priority of 100.
    Note The default security group rules created before May 27, 2020 have a priority of 110.
  • The rules allow TCP access from all IP addresses to ports 22 (SSH) and 3389 (RDP).
  • The rules allow ICMPv4 access from all IP addresses to all ports.
  • If you select Port 80 (HTTP) and Port 443 (HTTPS), rules are automatically added to allow TCP access from all IP addresses to ports 80 (HTTP) and 443 (HTTPS).

Managed security groups

Other Alibaba Cloud services such as Cloud Firewall and NAT Gateway also use security group capabilities. The Alibaba Cloud services create and use managed security groups to ensure service availability and prevent accidental operations on resources. Managed security groups are managed by the Alibaba Cloud services that create them. You can view managed security groups but cannot perform operations on them. For more information, see Managed security groups.

Practical suggestions

  • Use a security group that has no rules as a whitelist to deny all inbound access. You can add rules to allow access to or from specific destinations or sources on specific ports.
  • Follow the principle of least privilege when you add security group rules. For example, to allow connections to port 22 on a Linux instance, we recommend that you add a rule to allow access from only specific IP addresses instead of all IP addresses (0.0.0.0/0).
  • Make sure that each security group has simple and clear rules. A single instance can be added to multiple security groups. A single security group can have multiple rules. If a large number of rules are applied to an instance, management is complex and unforeseen risks can be introduced.
  • Add instances that serve different purposes to different security groups and separately maintain the security group rules applied to the instances. For example, you can add instances that need the Internet access to a security group. Then, in the security group, add rules to deny all access and allow inbound access to only the ports used to provide external services, such as ports 80 and 443. Meanwhile, to ensure that the instances accessible from the Internet do not provide other services (such as MySQL and Redis), we recommend that you deploy internal services on the instances inaccessible from the Internet and then add these instances to another security group.
  • Do not modify security groups that are in use within the production environment. All changes to a security group are automatically applied to the instances within the security group. Before you change the configurations of a security group, you can clone, change, and debug it within the test environment to ensure that the change does not interrupt the communication between the associated instances.
  • Specify identifiable names and tags for security groups for easy search and management.

Properly use security groups and make combined use of security groups and other means as required to improve the security of instances. For more information, see Best practices for security.