This topic describes how to configure security group rules for common scenarios, such as when a website deployed on your instance needs to provide external web services or when you want to connect to your instance from an on-premises server, based on security group characteristics in Elastic Compute Service (ECS).
Usage notes
Take note of the following items about security group rules:
Security groups that contain no rules deny all inbound access.
By default, basic security groups allow all outbound access.
Instances within different security groups that contain no rules are isolated from each other over the internal network.
In security groups of the Virtual Private Cloud (VPC) type, each rule controls access to or from the Internet and the internal network.
In security groups of the classic network type, public rules (Internet ingress and Internet egress rules) control access to or from the Internet, whereas internal rules (inbound and outbound rules) control access to or from the internal network.
All sample rules described in this topic are configured for the default ports used by typical applications. Applications deployed on instances use ports of the instances to provide external services. For more information, see Common ports.
Security group rules for websites to provide web services
If a website deployed on your instance needs to provide external web services, you must add the security group rules described in the following table to allow inbound access to the required ports such as ports 80 (HTTP) and 443 (HTTPS).
Rule direction | Action | Priority | Protocol type | Port range | Authorization object |
Inbound | Allow | 1 | Custom TCP | Destination: 80/80 | Source: 0.0.0.0/0 |
Inbound | Allow | 1 | Custom TCP | Destination: 443/443 | Source: 0.0.0.0/0 |
If the website remains inaccessible after the preceding rules are added, check whether TCP port 80 is available. For more information, see What do I do if I cannot access a service deployed on an ECS instance?.
Security group rules for connecting to an instance from an on-premises server
Before you can connect to an instance from an on-premises server, you must add security group rules to allow inbound access to the required ports based on your connection method. For example, to connect to a Linux instance by using Secure Shell (SSH), you must add a rule that allows inbound SSH access to port 22. To connect to a Windows instance by using the Remote Desktop Protocol (RDP), you must add a rule that allows inbound RDP access to port 3389. The following table describes the sample rules.
Rule direction | Action | Priority | Protocol type | Port range | Authorization object |
Inbound | Allow | 1 | Custom TCP | Destination: 22/22 | Source: 0.0.0.0/0 |
Inbound | Allow | 1 | Custom TCP | Destination: 3389/3389 | Source: 0.0.0.0/0 |
0.0.0.0/0 indicates all IP addresses. For security purposes, we recommend that you specify specific IP addresses as authorization objects based on the principle of least privilege.
When you use Alibaba Cloud Workbench to connect to an instance, you must add security group rules to allow access to specified servers. The following table describes the sample rules.
Rule direction | Action | Priority | Protocol type | Port range | Authorization object |
Inbound | Allow | 1 | Custom TCP | Destination: 22/22 | Source: 161.117.90.22/32 |
Inbound | Allow | 1 | Custom TCP | Destination: 3389/3389 | Source: 161.117.90.22/32 |
For information about the security group rules used to allow Workbench access to instances in the classic network, see the "Add security group rules to allow Workbench access to a Linux instance" section in Connect to a Linux instance by using a password or key and the "Add security group rules to allow Workbench access to a Windows instance" section in Connect to a Windows instance by using a password or key.
Security group rules for instances within different security groups to communicate with each other
If you want to share data between instances from different security groups within the same VPC, such as when you want instances within Security Group A to access shared files on instances within Security Group B over FTP, you can add rules to allow mutual access between the security groups over the internal network. The preceding method is more convenient than adding rules to allow access to or from individual IP addresses or CIDR blocks. You do not need to separately configure access control for each instance within each security group.
This method is not supported for instances that reside within different VPCs. You can use Cloud Enterprise Network (CEN) to connect instances within a VPC to instances within another VPC. For more information, see Overview.
Scenario 1:
If Security Group A and Security Group B belong to the same Alibaba Cloud account, you must specify the ID of Security Group A as the authorization object when you add a rule to Security Group B to allow inbound access from Security Group A. The following table describes a sample rule.
Rule direction
Action
Priority
Protocol type
Port range
Authorization object
Inbound
Allow
1
Custom TCP
Destination: 21/21
Source: sg-bp1hv6wvmegs036****
NoteThe security group ID provided in the preceding table is only for reference. Replace the security group ID with the actual security group ID.
Scenario 2:
If Security Group A and Security Group B do not belong to the same Alibaba Cloud account, you must specify the ID of Security Group A and the ID of the associated Alibaba Cloud account as the authorization object when you add a rule to Security Group B to allow inbound access from Security Group A. The following table describes a sample rule.
Rule direction
Action
Priority
Protocol type
Port range
Authorization object
Inbound
Allow
1
Custom TCP
Destination: 21/21
Source: 160998252992****/sg-bp174yoe2ib1sqj5****
NoteThe Alibaba Cloud account ID and the security group ID provided in the preceding table are only for reference. Replace the IDs with the actual IDs.
Security group rules for access to databases
If you deployed databases on your instance and want other instances to obtain data from the databases over the internal network, you must add rules to allow inbound access to the required ports based on the database types. Default port numbers for common database systems:
MySQL (3306)
Oracle (1521)
MS SQL (1433)
PostgreSQL (5432)
Redis (6379)
The following table describes the sample rules.
Rule direction | Action | Priority | Protocol type | Port range | Authorization object |
Inbound | Allow | 1 | Custom TCP | Destination: 3306/3306 | Source: 172.16.XX.XX.XX |
Inbound | Allow | 1 | Custom TCP | Destination: 1521/1521 | Source: 192.168.XX.XX |
Inbound | Allow | 1 | Custom TCP | Destination: 1433/1433 | Source: 192.168.XX.XX/16 |
Inbound | Allow | 1 | Custom TCP | Destination: 5432/5432 | Source: sg-bp1hv6wvmegs036**** |
Inbound | Allow | 1 | Custom TCP | Destination: 6379/6379 | Source: 160998252992****/sg-bp174yoe2ib1sqj5**** |
The IP addresses, CIDR block, Alibaba Cloud account ID, and security group IDs provided in the preceding table are only for reference. Replace the information with actual information.
Security group rules for pinging instances
The Internet Control Message Protocol (ICMP) is used to transmit control messages. Before you can perform specific test operations, such as running the ping command on a client to ping your instance, you must add rules to allow inbound ICMP access. The following table describes the sample rules.
Rule direction | Action | Priority | Protocol type | Port range | Authorization object |
Inbound | Allow | 1 | All ICMP (IPv4) | Destination: -1/-1 | Source: 0.0.0.0/0 |
Inbound | Allow | 1 | All ICMP (IPv6) | Destination: -1/-1 | Source: ::/0 |
Security group rules for restricting access from instances to external websites
By default, basic security groups allow all outbound access. To allow instances within a basic security group to access only specific websites, you can use the security group as a whitelist and add a Forbid rule that denies all outbound access and then Allow rules that allow outbound access to the IP addresses of the websites.
Take note of the following items:
After multiple rules match the request based on the corresponding protocols, port ranges, and authorization objects, the request is matched against the priorities and actions of the rules to determine a single rule to apply. No session is established until an Allow rule is matched and applied.
A smaller value of the priority of the security group rule indicates a higher priority. If two security group rules have the same priority and are different only in the action, the Forbid rule takes effect. The priority of the Forbid rule must be lower than the priority of the Allow rule. This way, the Allow rule takes effect to allow outbound access to the IP addresses of the specified websites.
The following table describes the sample rules.
Rule direction | Action | Priority | Protocol type | Port range | Authorization object |
Outbound | Forbid | 2 | All | Destination: -1/-1 | Destination: 0.0.0.0/0 |
Outbound | Allow | 1 | Custom TCP | Destination: 80/80 | Destination: 47.96.XX.XX |
Outbound | Allow | 1 | Custom TCP | Destination: 443/443 | Destination: 121.199.XX.XX |
The IP addresses of the websites provided in the preceding table are only for reference. Replace the IP addresses with the actual IP addresses of your websites.
After the rules are added, you can log on to your instance to perform tests, such as running the ping command. If your instance can access only the specified IP addresses, the security group rules are in effect.