edit-icon download-icon

FAQ about security groups

Last Updated: Mar 06, 2018

What is a security group?

A security group is a virtual firewall that is used to set network access control for one or more ECS instances.

As an important means of security isolation, security groups are used to divide security domains on the ECS instances. Each instance belongs to at least one security group which must be specified at the time of instance creation. Instances in the same security group can communicate through the network, but instances in different security groups cannot communicate through intranet by default. However, intercommunication can be authorized between different security groups. For more information, see Security groups.

Why do I have to specify a security group when creating an ECS instance?

Security group divides the security domains of your application environment and authorizes security group rules for proper network security isolation. It is convenient to select a specific security group when creating an ECS instance. Otherwise, all the existing ECS instances are assigned to a fixed security group, and you must remove them from the default security group and put them into new ones to implement network isolation. Therefore, you have to specify a security group when creating an ECS instance.

What is the impact of incorrect security group configuration?

  • Remote connections to (SSH) Linux instances and remote desktop connections to Windows instances may fail.
  • Remote ping operations to Internet and intranet IP addresses of ECS instances under the security group may fail.
  • HTTP/HTTPS accesses to web services provided by ECS instances under the security group may fail.
  • ECS instances under the security group may not be able to access ECS instances under other security groups in the same region (or in the same VPC) over intranet.
  • ECS instances under the security group may not be able to access other cloud services in the same region (or in the same VPC) over intranet.
  • ECS instances under the security group may not be able to access Internet services.

Why cannot I access Port 25?

For the sake of security, access to Port 25 on ECS instance is limited by default, you can open a ticket to lift the limitation, see Apply to open TCP port 25 for instructions.

Why do I have some rules with Priority 110 in my security group?

All the security group rules with Priority 110 are the default rules created by Alibaba Cloud. Priority 110 means that these rules have the lowest priority in the group. When you manually create a security group, only a value from 1 to 100 is valid for Priority.

Thank you! We've received your feedback.