Security groups act as virtual firewalls and provide Stateful Packet Inspection (SPI) and packet filtering capabilities. You can use security groups to define security domains in the cloud. You can add security group rules to control inbound and outbound traffic for elastic container instances within security groups.
Introduction to security groups
Security group definition
A security group is a logically isolated group of instances that reside in the same virtual private cloud (VPC). All instances in a security group are mutually trusted and protected under the same security group rules. Security group rules control access to or from the Internet or internal network for the elastic container instances in the security group.
Each security group can manage multiple elastic container instances within the same VPC.
Each elastic container instance must belong to a single security group.
Security group types
Security groups are classified into basic security groups and advanced security groups. By default, the following rules are added when a security group is created:
Inbound rules that allow access on ports 80, 443, 22, and 3389, and an inbound rule that allows access over Internet Control Message Protocol (ICMP) on all ports. These rules can be modified.
An outbound rule that allows all access on all ports.
The following table describes the differences in the features of basic and advanced security groups.
Basic security group
Advanced security group
Access control policy when the security group does not contain rules
Maximum number of private IP addresses
Mutual access between instances within the same security group
By default, instances within the same security group can access each other over the internal network.
By default, instances within the same security group are isolated from each other by internal networks. You must manually add security group rules to allow mutual access between the instances.
Control on access to or from other security groups
Rules can be added to control access to or from other security groups.
Rules cannot be added to control access to or from other security groups.
If your business requires a large number of elastic container instances and high O&M efficiency, we recommend that you use advanced security groups. Compared with basic security groups, advanced security groups can accommodate more elastic container instances and make it easier to configure security group rules.
Security group rules
Rules can be added to security groups to control inbound and outbound traffic. A security group rule is defined by attributes such as the direction, action, protocol type, port range, and authorization object. Take note of the following items about security group rules:
The total number of inbound and outbound rules within each security group cannot exceed 200.
Follow the principle of least privilege when you add security group rules. Examples:
Specify a single port such as port 80 in the format of 80/80, instead of a port range such as ports 1 to 80 in the format of 1/80.
0.0.0.0/0 indicates all IP addresses. Do not set it as the authorization object unless necessary.
For more information, see Overview.
Specify a security group
When you create an elastic container instance, you must specify a security group for the instance.
You cannot change the security group for an elastic container instance. To use an elastic container instance within a different security group, create a new elastic container instance in that security group.
Use the API
When you call the CreateContainerGroup operation to create an elastic container instance, you can use the SecurityGroupId parameter to specify a security group. The following table describes the SecurityGroupId parameter. For more information, see CreateContainerGroup.
The ID of the security group.
Use the console
When you create an elastic container instance on the buy page in the Elastic Container Instance console, you can specify a security group for the instance.
Add a security group rule
You can add rules to a security group to control inbound and outbound traffic of the elastic container instances in the security group. Examples:
If your elastic container instance needs to communicate with a network outside the security group to which the instance belongs, you must add a security group rule to allow the instance to access the network.
When attacks that are performed by request sources are detected, you can add security group rules to block access from the sources.
For more information, see Add a security group rule.