All Products
Search

This Product

    Microservices Engine:Configure security group rules for a cloud-native gateway

    Document Center

    Microservices Engine:Configure security group rules for a cloud-native gateway

    Last Updated:Mar 11, 2026

    If the cloud-native gateway and the node where the backend service is deployed are in different security groups, you must add a security group authorization rule that grants the gateway access to the ports used by the backend services.

    How it works

    A security group is a virtual firewall that controls inbound and outbound traffic for Elastic Compute Service (ECS) instances and elastic network interfaces (ENIs). Security groups provide stateful inspection and packet filtering, allowing you to define security domains in the cloud.

    When you create a cloud-native gateway, you select a VPC and a security group type. Based on your selection, the gateway creates a managed security group for its own nodes. Because the gateway nodes and the backend service nodes are in separate security groups, you must explicitly authorize the gateway to access the required ports in the backend service's security group.

    Note

    Select the same security group type for the gateway as the one used by the backend service.

    Architecture diagram showing the cloud-native gateway and backend service in different security groups

    The authorization rule creates an inbound rule in the backend service's security group. This rule allows traffic from the gateway's security group on the specified port range.

    Rule propertyValue
    DirectionInbound
    SourceThe gateway's managed security group
    Port rangeThe ports you specify (for example, 8080/8080 or 1/65535)
    ActionAllow
    PurposeAllow traffic from the cloud-native gateway to backend services

    Prerequisites

    Before you begin, make sure that you have:

    • A cloud-native gateway in MSE

    • The security group ID of the node where the backend service runs (see Step 1)

    Step 1: Find the security group ID of the backend service

    Upstream services associated with a cloud-native gateway are typically deployed in containers or on ECS instances. Identify the security group of the node where the backend service runs. The procedure depends on the deployment type.

    ACK managed cluster

    1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

    2. On the Clusters page, click the name of the target cluster. In the left-side navigation pane, choose Nodes > Node Pools.

    3. Click the target node pool and select the Basic Information tab. Note the security group ID.

    Security group ID on the node pool Basic Information tab

    ACK Serverless cluster

    1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

    2. On the Clusters page, click the name of the target cluster. On the Basic Information tab, note the security group ID.

    Security group ID on the ACK Serverless cluster Basic Information tab

    ECS instance

    1. Log on to the ECS console. In the left-side navigation pane, choose Instances & Images > Instances.

    2. Click the target ECS instance, then click the Security Groups tab. Note the security group ID.

    Security group ID on the ECS instance Security Groups tab

    Step 2: Add a security group authorization rule

    1. Log on to the MSE console. In the left-side navigation pane, choose Cloud-native Gateway > Gateways. In the top navigation bar, select a region.

    2. On the Gateways page, click the name of the target gateway. In the left-side navigation pane, click Overview, then select the Security Group Authorization tab.

    3. Click Add Security Group Rule. In the Security Group ID field, paste the security group ID from Step 1 and select the security group.

      Add security group rule dialog

    4. In the Port Range field, enter the port range in the Start Port/End Port format. To add multiple port ranges, press Enter after each entry.

      Port range input field

    5. Click Save.

    The gateway generates a corresponding inbound rule. This rule also appears in the security group of the backend service node.

    Security group rule after saving

    Delete a security group authorization rule

    1. Log on to the MSE console. In the left-side navigation pane, choose Cloud-native Gateway > Gateways. In the top navigation bar, select a region.

    2. On the Gateways page, click the gateway ID.

    3. In the left-side navigation pane, click Overview. On the Add Security Group Rule tab, find the target rule, click Delete in the Actions column, then click OK.

    Important

    By default, only the security group rule for the cloud-native gateway is deleted. To also remove the corresponding inbound rule from the backend service's security group, select Cascade Delete The Preceding Inbound Rules In This Security Group.

    FAQ

    Why can't I access the service after adding a security group rule?

    Two common causes:

    1. Wrong node: The service runs on Node A, but you authorized Node B's security group. Verify that the service is deployed on the node whose security group you authorized.

    2. Multiple security groups on one node: If the target node belongs to more than one security group, add an authorization rule for each security group.

    Why did access stop working after it was previously successful?

    1. Service health: Confirm the backend service is still running. Run curl from another node in the same security group to test connectivity.

    2. Port change: If the service port changed (for example, from 8080 to 8081), update the port range in the security group authorization rule. To avoid this issue, specify a broad port range such as 1/65535 when you create the rule.