All Products
Search
Document Center

Elastic Desktop Service:Network security

Last Updated:Apr 10, 2026

Elastic Desktop Service (EDS) Enterprise provides public bandwidth for user network access and uses security measures to protect cloud computers from external and internal threats. To help you manage network behavior, EDS Enterprise provides security group and domain name control policies to control user network access.

01 Network access

1.1 Security group policies

Elastic Desktop Service (EDS) Enterprise provides administrators with security group control policies to manage network access permissions for cloud computers within their organization. A security group control policy consists of a set of security group rules. Similar to Elastic Compute Service security group rules, you can set the rule direction (inbound or outbound), action (Allow or Deny), priority, protocol type, port range, authorization object (an IP address or CIDR block), and description. By combining rules with different scopes and priorities, administrators can implement a whitelist approach, allowing access only from specified sources.

You can add inbound or outbound security group control rules to further control the traffic of your cloud computers. The following are example configurations for security group control rules:

Scenario 1

By default, all outbound access from a cloud computer is allowed. You can add the following outbound rules to allow access only to specific IP addresses:

  • Rule 1: Deny all outbound access. Example:

    Direction

    Policy

    Priority

    Protocol type

    Port range

    Authorization object

    Outbound

    Deny

    2

    All

    -1/-1

    0.0.0.0/0

  • Rule 2: Allow access to a specific IP address. The priority of this rule must be higher than that of Rule 1. Example:

    Direction

    Policy

    Priority

    Protocol type

    Port range

    Authorization object

    Outbound

    Allow

    1

    Select the applicable protocol type.

    Set an appropriate port range.

    The IP address to allow access to, for example: 192.168.1.1/32.

Scenario 2

In a VPC environment, you can add an inbound rule to allow access from a specific IP address to the cloud computer. Example:

Direction

Policy

Priority

Protocol type

Port range

Authorization object

Inbound

Allow

1

Select the applicable protocol type.

Set an appropriate port range.

The IP address to allow access from, for example: 192.168.1.1/32.

Scenario 3

Assume Cloud Computer A is associated with Policy A, and Cloud Computer B is associated with Policy B. In a VPC environment, Cloud Computer A and Cloud Computer B cannot communicate with each other because all inbound access is denied by default. You can add the following inbound rules to Policy A and Policy B to enable network communication between them:

  • In Policy A, add an inbound rule to allow access from Cloud Computer B. Example:

    Direction

    Policy

    Priority

    Protocol type

    Port range

    Authorization object

    Inbound

    Allow

    1

    Select the applicable protocol type.

    Set an appropriate port range.

    IP address of Cloud Computer B.

  • In Policy B, add an inbound rule to allow access from Cloud Computer A. Example:

    Direction

    Policy

    Priority

    Protocol type

    Port range

    Authorization object

    Inbound

    Allow

    1

    Select the applicable protocol type.

    Set an appropriate port range.

    IP address of Cloud Computer A.

  • Default state: Disabled

  • Configuration responsibility: Customer

  • Cost: Free

  • Dependencies: None

  • Limitations:

    • Rule quantity limit

      You can create up to 200 security group control rules.

    • Limitations on inbound rules

      By default, a cloud computer allows all outbound access. Inbound access follows these principles:

      • Over the internet, a cloud computer does not support any inbound access. Even if you set an inbound security group rule to Allow, the rule does not take effect.

      • In a VPC environment, a cloud computer denies all inbound access by default. However, you can set an inbound security group rule to Allow to permit specific access requests.

  • Reference: Security Group Control

Procedure

  1. Log on to the Elastic Desktop Service Enterprise console.

  2. In the left-side navigation pane, choose O&M Management > Policy.

  3. On the Policy page, click Create Policy.

  4. On the Create Policy page, enter a Policy Name as prompted, configure the policy settings as needed, and then click OK.

In the Security Group Control section, click Add Rule. In the Add Rule dialog box, configure the following parameters and click OK.

Parameter

Description

Direction

  • Inbound: Controls whether to allow requests to the cloud computer.

  • Outbound: Controls whether to allow requests from the cloud computer to other applications.

Policy

  • Allow: Permits the access request.

  • Deny: Blocks the access request and drops the data packet without returning any information.

Priority

A value from 1 to 60, where a smaller value indicates a higher priority. Higher-priority rules take precedence.

Protocol type

TCP, UDP, ICMP (IPv4), and GRE are supported.

Port range

The port used by the application or protocol. When the selected protocol type is Custom TCP or Custom UDP, you can set a custom port. You can enter a specific port, such as 80, or a port range, such as 1/80. For more information, see Common Ports.

Authorization object

An IPv4 address range in CIDR format.

Description

A custom description for the rule.

1.2 Domain name control

Elastic Desktop Service (EDS) Enterprise provides domain name control policies that allow administrators to manage network access for cloud computers at the domain name level. Unlike security group control policies, domain name control uses DNS rules to manage access by domain name. For each rule, you configure the domain name and an action (Allow or Deny). This feature also supports wildcards (*), which significantly simplifies the process of managing access to specific websites and services.

For example, to implement fine-grained access control for the domains listed in the following table, you can configure the DNS rules as shown.

Domain

Example

Access policy

Description

Second-level domain

example.com

Allow

When the cloud computer accesses example.com, the webpage opens normally.

Third-level domain

writer.examplec.com

Deny

When the cloud computer accesses writer.example.com, the web page displays a 404 error.

developer.example.com

Allow

When the cloud computer accesses developer.example.com, the webpage opens successfully.

Fourth-level domain

image.developer.example.com

Deny

When the cloud computer accesses image.developer.example.com, the webpage displays 404.

video.developer.example.com

Allow

When the cloud computer accesses video.developer.example.com and guide.developer.example.com, the web pages open correctly.

guide.developer.example.com

Allow

  • Default state: Disabled

  • Configuration responsibility: Customer

  • Cost: Free

  • Dependencies: None

  • Limitations:

    • Domain limitations

      To ensure that end users can use their cloud computers properly, the following reserved security domains are not subject to DNS rules. Access to these domains is always allowed. If you set the access policy for these domains to Deny, the rule will not take effect.

      • *.gws.aliyun

      • *.aliyun.com

      • *.alicdn.com

      • *.aliyunpds.com

      • *.aliyuncds.com

      • *.aliyuncs.com

    • Operating system limitations

      Domain name access control rules apply only to cloud computers that run the Windows operating system.

    • Rule quantity limit

      You can create up to 300 DNS rules.

  • Reference: Domain Name Control

Procedure

  1. Log on to the Elastic Desktop Service Enterprise console.

  2. In the left-side navigation pane, choose O&M Management > Policy.

  3. On the Policy page, click Create Policy.

  4. On the Create Policy page, enter a Policy Name as prompted, configure the policy settings as needed, and then click OK.

In the Domain Name Access Control (Formerly DNS Feature) section, click Add Rule. In the Add Rule dialog box, configure the following parameters and click OK.

Parameter

Description

Domain name

Enter the domain name for which you want to set DNS rules. You can add only one domain name at a time. The * wildcard character is supported.

Description

A custom description for the DNS rule.

Access policy

Select Allow or Reject.

Note
  • If you set multiple DNS rules with an access policy of Allow, you must also add a DNS rule with an access policy of Deny to serve as a fallback rule.

  • When multiple DNS rules exist, the rule that is higher in the list takes precedence. You can move rules to adjust their priority.

02 Network boundaries

2.1 Office network intercommunication

Cloud computers run in a security group that is automatically created with the office network (formerly workspace). They do not have public-facing IP addresses or open ports. The security group blocks all external traffic except for ASP protocol connections from the streaming gateway. This design ensures that external network attacks cannot reach the cloud computers. This fundamental security mechanism of Elastic Desktop Service (EDS) Enterprise cannot be modified.

By default, the security group also prevents communication between cloud computers. This prevents a malicious user from attacking other cloud computers and stops a compromised cloud computer from infecting others on the internal network. Administrators can enable network access between cloud computers within their office network based on business needs. If you enable this access, you can use additional network control policies to mitigate the associated security risks.

Procedure

By default, cloud computers within the same office network cannot communicate. To enable this communication, you can enable the Interconnectivity feature on the details page of the office network.

  1. In the left-side navigation pane, choose Networks & Storage > Office Network.

  2. In the top navigation bar, select a region.

  3. On the Office Network page, click the office network ID of the target office network.

  4. On the office network details page, find the Network Information section and turn on the Interconnectivity switch.