Security groups act as virtual firewalls to provide Stateful Packet Inspection (SPI) and packet filtering capabilities and define security domains in the cloud. You can add security group rules to control inbound and outbound traffic for elastic container instances within security groups.
Security group overview
Security group definition
A security group is a logically isolated group of instances within the same region that are mutually trusted and share the same security requirements. The rules of a security group control access to or from the Internet or internal network for the elastic container instances within the security group.
Each security group can manage multiple elastic container instances within the same region.
Each elastic container instance must belong to a single security group.
Security group types
Security groups are classified into basic security groups and advanced security groups. By default, the following rules are added when a security group is created:
Inbound rules that allow access on ports 80 (HTTP), 443 (HTTPS), 22 (SSH), and 3389 (RDP) and an inbound rule that allows Internet Control Message Protocol (ICMP) access on all ports. These rules can be modified.
An outbound rule that allows all access on all ports.
The following table describes the differences in features of basic and advanced security groups.
Basic security group
Advanced security group
Access control policy when the security group contains no rules
Maximum number of private IP addresses
Mutual access between instances within the same security group
By default, instances within the same security group can access each other over the internal network.
By default, instances within the same security group are isolated from each other over the internal network. You must manually add security group rules to allow mutual access between the instances.
Control on access to or from other security groups
Rules can be added to control access to or from other security groups.
Rules cannot be added to control access to or from other security groups.
If your business requires a large number of elastic container instances and high O&M efficiency, we recommend that you use advanced security groups. Compared with basic security groups, advanced security groups can accommodate more elastic container instances and make it easier to configure security group rules.
Security group rules
Rules can be added to security groups to control inbound and outbound traffic. A security group rule is defined by attributes such as the rule direction, action, protocol type, port range, and authorization object. Take note of the following items about security group rules:
The total number of inbound and outbound rules in each security group cannot exceed 200.
Follow the principle of least privilege when you add security group rules. Examples:
Specify single ports such as port 80 in the format of 80/80, instead of a port range such as ports 1 through 80 in the format of 1/80.
0.0.0.0/0 indicates all IP addresses. Do not configure it as the authorization object unless necessary.
Specify a security group
When you create an elastic container instance, you must specify a security group for the instance.
The security groups of elastic container instances cannot be changed. To use an elastic container instance within a different security group, create an identical elastic container instance in that security group.
When you use Elastic Container Instance based on Virtual Kubelet in Kubernetes scenarios, all elastic container instances within a cluster are added to the default security group configured by Virtual Kubelet. You can move an elastic container instance to a specified security group based on your needs.
You can run the kubectl edit command to modify the eci-profile configuration file of a cluster and change the default security group ID in the data section for the elastic container instances within the cluster.Note
Virtual Kubelet of v188.8.131.52-15deb126e-aliyun or later allows modifications to eci-profile for hot updates. If your Virtual Kubelet version is earlier than v184.108.40.206-15deb126e-aliyun, we recommend that you upgrade your Virtual Kubelet.
kubectl edit configmap eci-profile -n kube-system
Modify the securityGroupId field in the data section. Sample code:
data: enableClusterIp: "true" enableHybridMode: "false" enablePrivateZone: "false" resourceGroupId: "" securityGroupId: sg-2ze0b9o8pjjzts4h**** #Specify a security group ID. selectors: "" vSwitchIds: vsw-2zeet2ksvw7f14ryz****,vsw-2ze94pjtfuj9vaymf**** vpcId: vpc-2zeghwzptn5zii0w7****
Elastic container instance
You can add annotations to metadata in the pod configuration file to specify a security group for an elastic container instance. Sample code:
apiVersion: apps/v1 kind: Deployment metadata: name: demo labels: app: nginx spec: replicas: 1 selector: matchLabels: app: nginx template: metadata: annotations: k8s.aliyun.com/eci-security-group: "sg-bp1dktddjsg5nktv****" #Specify a security group ID. labels: app: nginx spec: containers: - name: nginx image: nginx:latest
When you call the CreateContainerGroup operation to create an elastic container instance, you can use the SecurityGroupId parameter to specify a security group. The following table describes the parameter. For more information, see CreateContainerGroup.
The ID of the security group.
When you create an elastic container instance on the instance buy page in the Elastic Container Instance console, you can specify a security group for the instance.
Add security group rules
You can add rules to a security group to control inbound and outbound traffic for the elastic container instances within the security group.
If your elastic container instance needs to communicate with a network outside the security group to which the instance belongs, you can add a security group rule to allow the instance access to the network.
When attacks are detected from request sources during the operation of elastic container instances, you can add security group rules to block the malicious requests.
For more information about how to add security group rules, see Add security group rules.