A security group acts as a virtual firewall to control the inbound and outbound traffic of Elastic Compute Service (ECS) instances to improve security. Security groups provide Stateful Packet Inspection (SPI) and packet filtering capabilities. You can use security groups and security group rules to define security domains in the cloud.

Security groups and security group rules

Security groups are classified into basic security groups and advanced security groups. Advanced security groups are suitable for enterprise-level scenarios and can contain more instances, elastic network interfaces (ENIs), and private IP addresses and implement more rigorous levels of access control than basic security groups.

  • The following rules apply when you add instances to security groups:
    • Each instance must belong to one or more security groups.
    • The secondary ENIs that are bound to an instance can be assigned to security groups different from those of the instance.
    • An instance cannot belong to a basic security group and an advanced security group at the same time.
  • Security groups can control inbound and outbound traffic even before you add rules to the security groups. You can add rules to a security group or modify the rules of a security group to control inbound and outbound traffic in a more fine-grained manner. New and modified rules are automatically applied to all instances within the security group. Security group rules can be used to control access to or from specific IP addresses, CIDR blocks, security groups, or prefix lists. For more information, see Add a security group rule.
  • When you create security groups in the ECS console, default rules are automatically added to the security groups. You can maintain the rules based on your needs.
    Note
    • When you create security groups by calling API operations, no default rules are automatically added to the security groups.
    • Security groups are stateful. A session for a security group can persist for up to 910 seconds. If two instances that belong to the same security group can access each other and establish a session, traffic is allowed in both directions for the duration of the session. For example, if request traffic during a session is allowed to flow in, the corresponding response traffic is also allowed to flow out.

The following table describes the differences between basic and advanced security groups.

Comparison item Basic security group Advanced security group
Supported network type Virtual Private Cloud (VPC) and classic network VPC
Support for all instance types Yes No, only instance types of the VPC type are supported.
Private IP addresses that can be contained in a security group in the classic network 1,000 The classic network is not supported.
Private IP addresses that can be contained in a security group in a VPC 2,000 . You can apply to raise the limit to 6,000. 65,536
Support for adding security group rules that allow or deny access Yes Yes
Support for specifying policy priority Yes Yes
Support for being specified as authorization objects in security group rules of other security groups Yes No
Control policy for mutual access between resources within the same security group when no security group rules are added
  • Instances and ENIs in the same basic security group can communicate with each other over the internal network. This internal access control policy takes precedence over user-created security group rules.
  • Instances and ENIs in a basic security group are isolated from instances and ENIs in other basic security groups over the internal network.
  • By default, all inbound access requests are denied.
The following figure Figure 1 shows how a basic security group to which no rules are added controls access.
  • Instances and ENIs in the same advanced security group are isolated from each other over the internal network.
  • Instances and ENIs in an advanced security group are isolated from instances and ENIs in other advanced security groups over the internal network.
  • By default, all access requests are denied.
The following figure Figure 1 shows how an advanced security group to which no rules are added controls access.
Default rules that are automatically added when you create security groups in the ECS console
  • Inbound: four inbound rules that allow TCP access from all IP addresses to ports 80 (HTTP), 443 (HTTPS), 22 (SSH), and 3389 (RDP) and one inbound rule that allows Internet Control Message Protocol version 4 (ICMPv4) access from all IP addresses to all ports.
  • Outbound: none.
The following figure Figure 2 shows how a basic security group that has default rules controls access.
  • Inbound: four inbound rules that allow TCP access from all IP addresses to ports 80 (HTTP), 443 (HTTPS), 22 (SSH), and 3389 (RDP) and one inbound rule that allows ICMPv4 access from all IP addresses to all ports.
  • Outbound: one outbound rule that allows access on all protocols and ports to all IP addresses to prevent network connectivity issues.
The following figure Figure 3 shows how an advanced security group that has default rules controls access.

For information about the limits marked with , , and , see the "Security group limits" section in Limits.

Figure 1. Access control of security groups that have no rules
Access control of security groups that have no rules
Figure 2. Access control of basic security groups that have default rules
Access control of basic security groups
Figure 3. Access control of advanced security groups that have default rules
Access control of advanced security groups

If an instance belongs to multiple security groups, the rules of all the security groups are applied to the instance. When an access request destined for the instance is detected, the request is matched against applied security group rules one by one based on the rule attributes such as protocol, port range, and priority. No sessions are established until an Allow rule matches the request. For more information about the attributes and examples of security group rules, see Overview.

Work with security groups

You can perform the following operations to use security groups to control traffic for instances:
  1. Create security groups.
  2. Add rules to the security groups.
  3. Add instances to the security groups.
  4. Manage existing security groups and security group rules based on your needs.
You can perform the following operations to use security groups to control traffic for secondary ENIs:
  1. Create security groups.
  2. Add rules to the security groups.
  3. Add secondary ENIs to the security groups.
  4. Bind the secondary ENIs to instances.
  5. Manage existing security groups and security group rules based on your needs.

For information about how to perform operations on security groups and use cases of security groups, see Manage security groups and Security groups for different use casesConfiguration guide for ECS security groups.

Default security groups

Each instance must be added to one or more security groups. When you use the ECS console to create instances within a region in which you have not created security groups, you can use the default security group. The system creates a default security group when it creates the instances that you request. The network type of the security group is the same as that of the instances. The default security group is a basic security group that has default rules, as shown in the following figure. Default security groups
Take note of the following items about the default rules:
  • The rules have a priority of 100.
    Note The default security group rules created before May 27, 2020 have a priority of 110.
  • The rules allow TCP access from all IP addresses to ports 22 (SSH) and 3389 (RDP).
  • The rules allow ICMPv4 access from all IP addresses to all ports.
  • If you select Port 80 (HTTP) and Port 443 (HTTPS), rules are automatically added to allow TCP access from all IP addresses to ports 80 (HTTP) and 443 (HTTPS).

Managed security groups

Other Alibaba Cloud services such as Cloud Firewall and NAT Gateway also use security group capabilities. The Alibaba Cloud services create and use managed security groups to ensure service availability and prevent accidental operations on resources. Managed security groups are managed by the Alibaba Cloud services that create them. You can view managed security groups but cannot perform operations on them. For more information, see Managed security groups.

Practical suggestions

  • Use a security group that has no rules as a whitelist to deny all inbound access. You can add rules to allow access to or from specific destinations or sources on specific ports.
  • Follow the principle of least privilege when you add security group rules. For example, assume that you want to allow connections to port 22 on a Linux instance. We recommend that you add a rule to allow access only from specific IP addresses instead of all IP addresses (0.0.0.0/0).
  • Make sure that each security group has simple and clear rules. A single instance can be added to multiple security groups. A single security group can have multiple rules. If a large number of rules are applied to an instance, management is complex and unforeseen risks can be introduced.
  • Add instances that serve different purposes to different security groups and maintain the rules for each group separate from other groups. For example, you can add instances that need to be accessible from the Internet to a security group. Then, in the security group, add rules to deny all access and allow inbound access only to ports that are used to provide external services, such as ports 80 and 443. Meanwhile, to ensure that the instances that are accessible from the Internet do not provide other services (such as MySQL and Redis), we recommend that you deploy internal services on the instances that are inaccessible from the Internet and then add these instances to another security group.
  • Do not modify security groups that are in use within the production environment. All changes to a security group are automatically applied to the instances within the security group. Before you change the configurations of a security group, you can clone, change, and debug it within the test environment to ensure that the change does not interrupt the communication between the associated instances.
  • Specify identifiable names and tags for security groups for easy search and management.

Use security groups responsibly and combine security groups with other methods as needed to improve the security of instances. For more information, see Best practices for security.