When you create an Elastic Compute Service (ECS) instance in a virtual private cloud (VPC), you can add the ECS instance to the default security group or an existing security group in the VPC. A security group acts as a virtual firewall to control the inbound and outbound traffic of ECS instances.

This topic describes how to configure security groups for ECS instances in VPCs in different scenarios.

Scenario 1: Allow ECS instances to communicate with each other

If you want ECS instances in VPCs to communicate with each other, take note of the following information:

  • By default, ECS instances in the same security group of a VPC can communicate with each other.
  • ECS instances in different VPCs cannot communicate with each other. To connect ECS instances in different VPCs, you must use Express Connect, VPN Gateway, or Cloud Enterprise Network (CEN) to connect the VPCs. Then, configure security group rules based on the following information to allow the ECS instances to communicate with each other.
    Security group rule Direction Action Protocol type and port range Authorization type Authorized object
    Security group configuration for the ECS instance in VPC 1 Inbound Allow

    Windows: RDP

    3389/3389

    CIDR block
    The private IP address of the ECS instance in VPC 2.
    Note Enter 0.0.0.0/0 if you want to allow all ECS instances in VPC 2 to communicate with the ECS instance in VPC 1.
    Inbound Allow

    Linux: SSH

    22/22

    CIDR block
    Inbound Allow

    Custom TCP

    Custom

    CIDR block
    Security group configuration for the ECS instance in VPC 2 Inbound Allow

    Windows: RDP

    3389/3389

    CIDR block
    The private IP address of the ECS instance in the VPC 1.
    Note Enter 0.0.0.0/0 if you want to allow all ECS instances in VPC 1 to communicate with the ECS instance in VPC 2.
    Inbound Allow

    Linux: SSH

    22/22

    CIDR block
    Inbound Allow

    Custom TCP

    Custom

    CIDR block

Scenario 2: Deny access from specific IP addresses or to specific ports

If you want to deny access to an ECS instance in a VPC from specific IP addresses or deny access to specific ports of the ECS instance, you can configure security group rules based on the following information.

Security group rule Direction Action Protocol type and port range Authorization type Authorized object
Deny access from a CIDR block to all ports Inbound Deny

All

-1/-1

CIDR block

The CIDR block from which you want to deny access. Example: 10.0.0.1/32.

Deny access from a CIDR block to TCP port 22 Inbound Deny

SSH(22)

22/22

CIDR block

The CIDR block from which you want to deny access. Example: 10.0.0.1/32.

Scenario 3: Allow only specific IP addresses to remotely log on to an ECS instance

If an ECS instance in your VPC is associated with an elastic IP address (EIP) or configured with an Internet NAT gateway, you can add the following security group rules to allow remote logon from clients that run Windows or SSH logon from clients that run Linux.

Security group rule Direction Action Protocol type and port range Authorization type Authorized object
Allow remote logon from clients that run Windows Inbound Allow

RDP

3389/3389

CIDR block
The IP address from which you want to allow logon.
Note Enter 0.0.0.0/0 if you want to allow all public IP addresses to log on to the ECS instance.
Allow SSH logon from clients that run Linux Inbound Allow

SSH

22/22

CIDR block
The IP address from which you want to allow logon.
Note Enter 0.0.0.0/0 if you want to allow all public IP addresses to log on to the ECS instance.

Scenario 4: Allow users to access the HTTP or HTTPS service deployed on an ECS instance over the Internet

If you deployed a website on an ECS instance in your VPC, and the ECS instance provides Internet-facing services by using an EIP or an Internet NAT gateway, you can configure the following security group rules to allow users to access your website over the Internet.

Security group rule Direction Action Protocol type and port range Authorization type Authorized object
Allow access to HTTP port 80 Inbound Allow

HTTP

80/80

CIDR block 0.0.0.0/0
Allow access to HTTPS port 443 Inbound Allow

HTTPS

443/443

CIDR block 0.0.0.0/0
Allow access to TCP port 80 Inbound Allow

TCP

80/80

CIDR block 0.0.0.0