A security group is similar to a firewall for an instance. To ensure security, you must follow the least privilege principle when you configure security group rules for instances. This topic describes four recommended methods to configure interconnection of instances in the classic network.
Method 1: Authorize access to a single IP address
- Scenario: This method is applicable to interconnection between a small number of instances over the internal network.
- Advantages: This method involves simple and clear security group rules to authorize access to a single IP address.
- Disadvantages: When you attempt to interconnect a large number of instances over the internal network, you are limited of the 200 security group rules and be burdened by a high maintenance workload.
To authorize access to a single IP address, perform the following steps:
Method 2: Add instances to the same security group
- Scenario: If your application architecture is relatively simple, you can add all instances to the same basic security group. By default, instances in the same basic security group can access each other over the internal network.
- Advantages: Security group rules are simple and clear.
- Disadvantage: This method is applicable only to a simple network architecture. When the network architecture is adjusted, the authorization method must be modified accordingly.
For more information about the procedure, see Add an ECS instance to a security group.
Method 3: Add instances to a security group created solely for interconnection
- Scenario: You can add the instances to a dedicated basic security group for interconnection. This method is recommended for a network architecture that has multiple layers of applications.
- Advantages: This method is easy to implement and allows you to quickly establish interconnection between instances. The method is applicable to complicated network architectures.
- Disadvantages: The instances are added to multiple security groups and the security group rules may be complex.
To add instances to a security group created solely for interconnection, perform the following steps:
- Create a basic security group that has a name configured such as security group for interconnection. No rules are required for the new security group.
- Add the instances to be interconnected to the new security group. Instances in the same basic security group can communicate with each other.
Method 4: Authorize security groups
- Scenario: You can add the instances to a dedicated security group for interconnection. This method is recommended for a network architecture that has multiple layers of applications.
- Advantages: This method is easy to implement and allows you to quickly establish interconnection between instances. The method is applicable to complicated network architectures.
- Disadvantages: The instances are added to multiple security groups and the security group rules may be complex.
To authorize security groups, perform the following steps:
Suggestions
In the preceding figure, Delete 0.0.0.0 means deleting the original security group rule that allows inbound traffic from 0.0.0.0/0.
If one or more security group rules are improperly configured, the interconnection between your instances may be affected. We recommend that you back up security group rules before you change them so that you can easily recover the rules.
- Web layer security group: allows port 80.
- Application layer security group: allows port 8080.
- Database layer security group: allows port 3306.