After you create an endpoint for a virtual private cloud (VPC), you can add the endpoint to a security group. This way, you can manage the traffic between the VPC and the endpoint elastic network interface (ENI). If you no longer need a security group, you can remove the endpoint from the security group.

Operations

Prerequisites

  • An endpoint is created. For more information, see Create and manage endpoints.
  • At least two security groups are created in the VPC of the endpoint, and the security group rules meet the following requirements:
    • If you create an endpoint whose Endpoint Type parameter is set to Interface Endpoint, you can configure security group rules based on your business and security requirements. We recommend that you configure the following security group rules:
      • A default rule that supports Internet Control Message Protocol (ICMP) for operations such as pinging the ECS instance.
      • A default inbound rule that allows traffic on SSH port 22 and Remote Desktop Protocol (RDP) port 3389 to access the ECS instance.
      • Optional. An inbound rule that allows traffic on HTTP port 80 and HTTPS port 443. This rule allows the VPC of the endpoint to access the VPC of the endpoint service over HTTP or HTTPS.
    • If you create an endpoint whose Endpoint Type parameter is set to Reverse Endpoint, you must configure an inbound rule that allows all traffic. This means that you must allow all CIDR blocks to access all ports over all protocols.
    For more information, see Create a security group.

Add an endpoint to a security group

  1. Log on to the endpoint console .
  2. In the top navigation bar, select the region where the endpoint is deployed.
  3. On the Endpoints page, click the Interface Endpoint or Reverse Endpoint tab, find the endpoint that you want to manage and click its ID.
  4. On the details page of the endpoint, click the Security Group tab, and then click Join Security Group.
  5. In the Join Security Group dialog box, select a security group and click OK.

Remove an endpoint from a security group

Before you remove an endpoint from a security group, make sure that the endpoint is added to at least one security group.

  1. Log on to the endpoint console .
  2. In the top navigation bar, select the region where the endpoint is deployed.
  3. On the Endpoints page, click the Interface Endpoint or Reverse Endpoint tab, find the endpoint that you want to manage and click its ID.
  4. On the details page of the endpoint, click the Security Group tab, find the security group that you want to manage, and then click Delete in the Actions column.
  5. In the Remove Security Group message, click OK.

References