Security group rules control the inbound and outbound traffic of ECS instances. You can use these rules to allow or deny specific network traffic, block unnecessary ports, restrict traffic of specific protocols, and configure application access permissions. This topic describes how to add, modify, query, delete, import, and export security group rules.
Before you begin
Before you add security group rules, note the following:
Inbound rules of a security group control the inbound traffic to ECS instances, and outbound rules control the outbound traffic from the instances. When an ECS instance is associated with multiple security groups, the rules from all groups are sorted based on a fixed policy. These rules collectively determine whether to allow or deny inbound and outbound traffic for the instance.
For an overview of security group capabilities and usage recommendations, see Security group overview.
In addition to custom security group rules, security groups have invisible default access control rules that affect whether traffic is allowed or denied. For more information, see Basic security groups and advanced security groups.
For information about the components and sorting policy of security group rules, see Security group rules.
Security groups have a limit on the number of rules. Keep your rules concise. For more information, see Security group limits.
Scenarios
If your ECS instance needs to provide external services, add inbound security group rules that allow access.
If you find that your ECS instance is under a malicious attack, add inbound security group rules that deny access.
If you want an ECS instance to actively connect to external networks, you may need to add outbound security group rules that allow access based on the security group type and its internal connectivity policy.
If you no longer need to control certain outbound or inbound traffic, delete the corresponding security group rules.
If you want to quickly copy rules to other security groups, you can use the import and export security group rules feature.
For more scenarios, see Guidelines and examples for security group applications.
Add a security group rule
Inbound and outbound security group rules include an authorization policy, priority, protocol type, port range, and authorization object. Traffic is considered a match for a security group rule if it matches the authorization object, port, and protocol type of the rule. The system then determines whether to allow or deny the traffic based on the priority and authorization policy of the rule. If the traffic does not match any security group rule, the default policy of the security group is applied.
Authorization object: The source address for inbound rules or the destination address for outbound rules. You can configure IP addresses (you can select multiple IP addresses), security groups, and prefix lists.
If you select security groups or prefix lists as authorization objects, this security group rule restricts the access permissions of all IP addresses in the selected security groups and prefix lists.
If you want to enable network communication between resources in different security groups, use security group-based authorization. For internal network access, use source security group authorization instead of CIDR block authorization.
By default, Alibaba Cloud does not enable any inbound rules for the internal network of classic network-type ECS instances. For security reasons, do not enable authorization based on CIDR blocks for these instances.
Port range: The port that matches the traffic. You can configure a single port range or a list of ports. If you select a port list, the access permissions of all ports in the list are restricted by this security group rule. For information about the ports for typical applications and their corresponding scenarios, see Common ports.
Protocol type: The protocol type that matches the traffic.
TCP is mainly for applications that require high reliability, such as web browsing, email transmission, remote logon, and file uploads and downloads.
UDP is mainly for applications where speed is more important than accuracy, such as online games and video conferences.
The Internet Control Message Protocol (ICMP) is mainly used to transmit control information, such as ping commands, error reports, and diagnostic information, between network devices.
The Generic Routing Encapsulation (GRE) protocol is mainly for applications that require high security. GRE lets you securely transmit data across different network types, such as IP over IP.
Priority: The priority for matching traffic. The highest priority is 1.
For rules with different priorities, traffic is first matched against the rule with the highest priority. If a match is found, the action specified in that rule is performed, and lower-priority rules are ignored.
For rules that have the same priority but different authorization policies, the deny policy takes precedence over the allow policy.
Authorization policy: The action to be performed on matching traffic, which can be allow or deny.
The ports that you configure in a security group rule must correspond to a running application. The application port must also be listening on 0.0.0.0. For information about how to check the current port status, see Check service status and port listening status.
Use the ECS console
In the top navigation bar, select the region and resource group of the resource that you want to manage.
Find the target security group and click Manage Rules in the Actions column to add inbound or outbound security group rules.
Method 1: Quickly add a security group rule
This method is suitable for quickly configuring common TCP protocol rules. Click Quick Add, set Authorization Policy and Authorization Object, and select one or more ports.
If the port range in the Quick Add dialog box does not include the port you want to allow or deny, you can first select a port to create a rule, and then modify the port range of the rule. You can also use Method 2: Manually add a security group rule to directly configure the required port.
Method 2: Manually add a security group rule
You must configure the authorization policy, priority, protocol type, port range, and authorization object. Perform the following steps:
Click Add Rule.
In the rule list, configure the new security group rule. After the configuration is complete, click OK in the Actions column.
For information about how to configure a single rule, see Security group rules.
Use the API
To control the outbound and inbound traffic of ECS instances more precisely, you can use quintuple security group rules. A quintuple rule includes the source IP address, source port, destination IP address, destination port, and protocol type. Quintuple rules are fully compatible with existing security group rules. You can configure quintuple security group rules by calling API operations. For more information, see Quintuple security group rules.
Call the AuthorizeSecurityGroup operation to add an inbound rule.
Call the AuthorizeSecurityGroupEgress operation to add an outbound rule.
Modify a security group rule
After you modify a security group rule, the new rule immediately takes effect for all ECS instances in the security group. You may need to monitor network traffic and connections to ensure that the modified rule meets your business requirements and does not compromise network security. For more information, see What is Cloud Monitor.
Use the ECS console
In the top navigation bar, select the region and resource group of the resource that you want to manage.
Find the security group whose rules you want to modify and click Manage Rules in the Actions column.
Find the security group rule that you want to modify, click Edit in the Actions column, make your changes, and then click OK.
Use the API
Use the ModifySecurityGroupRule operation to modify an inbound rule.
Use the ModifySecurityGroupEgressRule operation to modify an outbound rule.
Query security group rules
After you add security group rules, you can query the details of the rules in the ECS console.
Use the ECS console
Method 1: View the rules of a single security group
In the top navigation bar, select the region and resource group of the resource that you want to manage.
Find the security group whose rules you want to view and click Manage Rules in the Actions column.
Select the direction of the security group rules to view the rules in that direction.
NoteIn the search box above the security group rule list, you can enter a port or an authorization object to quickly find matching security group rules.
Method 2: View the rules in all security groups that an ECS instance has joined
Go to ECS console - Instance.
In the top navigation bar, select the region and resource group of the resource that you want to manage.
Find the target instance for which you want to view security group rules and click the instance ID to go to the instance details page.
On the Security Groups tab, view all security groups that are associated with the instance.
Click Manage Rules in the Actions column for a security group to view its rules. Repeat this step to view the rules of all security groups.
Use the API
Use the DescribeSecurityGroupAttribute operation to query security group rules.
Delete a security group rule
Before you delete a security group rule, make sure you understand the potential impact of this operation. This helps prevent network security issues that are caused by accidental deletion. If you delete a rule and later find that you still need it, you must create a new rule.
Use the ECS console
In the top navigation bar, select the region and resource group of the resource that you want to manage.
Find the security group whose rules you want to delete and click Manage Rules in the Actions column.
Find the security group rule that you want to delete and click Delete in the Actions column.
In the dialog box that appears, read the message, confirm the information, and then click OK.
Use the API
Use the RevokeSecurityGroup operation to delete an inbound rule.
Use the RevokeSecurityGroupEgress operation to delete an outbound rule.
Check for redundant rules in a security group
The health check feature for security groups checks for redundant rules in a single security group. For example, if all conditions of rule A are completely covered by rule B, and the priority of rule A is lower than or equal to the priority of rule B, rule A is considered redundant. If redundant rules exist, you should purge them to prevent the number of security group rules from reaching the quota, which can affect the use of the security group.
Each security group and each Elastic Network Interface (ENI) of an ECS instance can contain a limited number of security group rules. For information about the limits and quotas for security group rules, see Security group limits.
Use the ECS console
In the top navigation bar, select the region and resource group of the resource that you want to manage.
Find the security group whose rules you want to check and click Manage Rules in the Actions column.
In the Access Rules section, click
.In the Health Check dialog box, check whether any redundant rules exist.
The following figure shows that the security group contains two redundant rules.
Select the redundant rules and then click OK to delete them.
Import and export security group rules
The ECS console supports exporting and importing security group rules. This feature is suitable for scenarios such as backing up, restoring, and migrating security group rules.
Before you import security group rules, make sure that the following requirements are met. Otherwise, the import may fail:
The priority of a security group rule ranges from 1 to 100. Rules with a priority higher than 100 must be deleted before import and then re-created after the import.
The ECS console supports exporting security group rules as JSON or CSV files. Make sure that you use the correct file format and follow the naming conventions for Alibaba Cloud security group rule files.
We recommend that you import no more than 200 rules at a time.
When you import rules across regions, the authorization object in the security group rules cannot be a security group or a prefix list, and the port range cannot be a port list.
Use the ECS console
In the top navigation bar, select the region and resource group of the resource that you want to manage.
Find the security group whose rules you want to export, and in the Actions column, click Manage Rules.
In the Access Rules section, perform one of the following operations to manage the rules:
Import security group rules
Click
. In the Import Security Group Rules dialog box, click Select File, and then select a local JSON or CSV file. Then, click OK.If some rules fail to be imported, you can move the pointer over the warning icon to view the failure reason.
Export security group rules
Click
, select a file format, and then download and save the file to your local machine.JSON Format
An example of the naming convention for a JSON file is:
ecs_${region_id}_${groupID}.jsonFor example, if
regionIDiscn-qingdaoandgroupIDissg-123, the name of the exported JSON file isecs_cn-qingdao_sg-123.json.CSV Format
An example of the naming convention for a CSV file is:
ecs_sgRule_${groupID}_${region_id}_${time}.csvFor example, if
regionIDiscn-qingdao,groupIDissg-123, andtimeis2020-01-20, the name of the exported CSV file isecs_sgRule_sg-123_cn-qingdao_2020-01-20.csv.
FAQ and best practices for security group rules
For answers to frequently asked questions about security group configurations, security group rule settings, host penalties and unblocking procedures, and resource quota management, see Security group FAQ.
For questions about Protocol Type and Port Range, see Common ports and Change the default remote port of a server.
To add cloud resources, such as ECS instances and ENIs, to a new security group, see Associate a security group with an instance (primary ENI) and Associate a security group with a secondary ENI.
To modify the internal connectivity policy of a security group based on your business needs, see Modify the internal connectivity policy of a basic security group.
Best practices and application examples for configuring security group rules:
If a firewall is enabled on the server and its rules are configured to block external access, remote access to the server may fail. Best practices for enabling and disabling the system firewall:
Other best practices: