edit-icon download-icon

Implication and matching sequence of the ECS security group rule priority

Last Updated: Dec 15, 2017

When an instance belongs to only one security group

  1. If there were two rules with the same priority, firstly determine if it matched the first rule, if not, then determine whether it matched the second rule or not. For example,

    ECS_SecurityGroup_Rule_EqualPriority

    In this case, all ports except Port 80 can be accessed.

  2. The priority declines with increasing value. For example,

    ECS_SecurityGroup_Rule_DifferentPriority

    In such a case,Port 80 denies access from a request with high priority (that is, the priority value is 1).

    Summary: When an instance is set with only one security group, the rule’s priority corresponds to its ranking order.

When an instance belongs to at least two security groups:

  1. An instance has two security groups in which rules have the same priority as follows:

    FirstPriority

    Rules in Security Group 1 are set as follows:

    FirstSecurityGroup1

    Rules in Security Group 2 are set as follows:

    FirstSecurityGroup2

    The rules are checked in the following order:

    1. Rules are firstly ranked by the display order of security groups; that is, rules of the same priority in Security Group 1 are ranked before rules of the same priority in Security Group 2.

    2. Rules in the same group are then ranked by priority in a descending order.

      In the preceding example, the judging order of the final result is as follows:

      • Security Group 1     1.1.1.3     priority 1
      • Security Group 1     1.1.1.2     priority 1
      • Security Group 2     2.2.2.2     priority 1
      • Security Group 2     1.1.1.1     priority 1
  2. An instance has two security groups in which rules have different priorities as follows:

    SecondPriority

    Rules in Security Group 1 are set as follows:

    SecondSecurityGroup1

    Rules in Security Group 2 are set as follows:

    SecondSecurityGroup2

    The rules are checked in the following order:

    1. Rules are firstly ranked according to their orders in “The Instance’s Security Groups” in the instance; that is, rules in “Security Group 1” are ranked before rules in “Security Group 2” in the tested instance. The details are as follows:

      • Security Group 1     1.1.1.1     priority 1
      • Security Group 1     1.1.1.2     priority 2
      • Security Group 2     2.2.2.1     priority 1
      • Security Group 2     2.2.2.2     priority 2
    2. Then the rules are ranked separately by their priority.
      The final ranking order of rules in security groups is as follows:

      • Security Group 1     1.1.1.1     priority 1
      • Security Group 2     2.2.2.1     priority 1
      • Security Group 1     1.1.1.2     priority 2
      • Security Group 2     2.2.2.2     priority 2

      Summary: When an instance has multiple security groups, rules of the same priority are firstly ranked by their display order in “The Instance’s Security Groups”. Rules with smaller “priority” values are judged before rules with larger “priority” values. If no rule is matched, the access is denied.

Thank you! We've received your feedback.