You can create custom security group rules in a security group to control inbound and outbound traffic for Elastic Compute Service (ECS) instances in the security group. Security group rules help control access to cloud resources and improve network security.
Before you use security group rules, take note of the following items:
The security group rules in security groups of the Virtual Private Cloud (VPC) type are classified into inbound and outbound rules. The rules control traffic over both the Internet and internal network. The security group rules in security groups of the classic network type are classified into Internet ingress (or public inbound), Internet egress (or public outbound), internal inbound, and internal outbound rules. Internet ingress and egress rules control traffic over the Internet. Internal inbound and outbound rules control traffic over the internal network.
Security groups are stateful. A session for a security group can persist for up to 910 seconds. If ECS instances in the same security group can be accessed and sessions are established on the instances, the security group allows traffic in both directions during the sessions. For example, if request traffic during a session is allowed to flow in, the corresponding response traffic is also allowed to flow out.
You can modify the security group rules that are associated with an elastic network interface (ENI), or change the security groups of an ENI to associate new security group rules with the ENI. If the new security group rules and the original security group rules contain the same actions, the sessions that are already established on the ENI are not affected. If you use the internal connectivity policy of basic security groups to allow traffic and do not want existing sessions to be affected when you change the basic security groups of an ENI, add the ENI or its associated ECS instance to new basic security groups, wait for approximately 10 seconds, and then remove the ENI or ECS instance from the original basic security groups.
The default email service port is TCP port 25. By default, TCP port 25 of ECS instances is blocked to ensure security. To send emails, we recommend that you use port 465.
Before you create security group rules in a security group, take note that the security group contains default access control rules that are invisible. The default access control rules and the custom security group rules that you create work together to control traffic for ECS instances in the security group. Basic and advanced security groups have different sets of default access control rules. For a basic security group, the default inbound access control rules allow only traffic over the internal network from ECS instances within the basic security group, and the default outbound access control rules allow all traffic. For an advanced security group, the default access control rules do not allow traffic. For more information, see Basic security groups and advanced security groups.
The internal access control policy of a basic security group affects the default access control rules of the security group. By default, a basic security group uses the internal interconnectivity policy. The policy allows inbound and outbound traffic over the internal network between ECS instances within the basic security group. If you do not require ECS instances in a basic security group to access each other, we recommend that you follow the principle of least privilege to configure the internal isolation policy for the security group. For more information, see Modify the internal access control policy of a basic security group.
For an ECS instance that is associated with multiple security groups, all security group rules of the security groups are automatically sorted and work together with the default access control rules of the security groups to control traffic for the ECS instance. The security group rules are processed in a specific order. The processing continues until a rule is matched. For more information, see the Match policy of custom security group rules section in this topic.
By default, each security group can contain up to 200 security group rules. You can change the maximum number of security group rules that can be contained in each security group and the maximum number of security groups with which an ECS instance can be associated. For more information, see the Security groups section in the "Limits" topic. We recommend that you keep the security group rules of each security group concise to facilitate management. You can perform health checks on security groups to identify redundant security group rules. For more information, see the Identify redundant rules in a security group section in the "View security group rules" topic.
Composition of each security group rule
A custom security group rule consists of the following information:
Protocol type: the protocol type. The following protocols are supported: TCP, User Datagram Protocol (UDP), Internet Control Messages Protocol version 4 (ICMPv4), ICMP version 6 (ICMPv6), and Generic Routing Encapsulation (GRE).
Port range: the destination ports. Port ranges and port lists are supported.
Port ranges: For TCP and UDP protocols, use a forward slash (/) to separate the start port number and the end port number when you specify a port range. Examples: 8000/9000 and 22/22. For other protocols, the Port Range parameter is set to -1/-1. For more information, see Common ports.
Port lists: A port list is a set of ports. If you reference a port list in a rule of a security group, the maximum number of entries in the port list counts against the rule quota of the security group regardless of the actual number of entries in the port list. You can reference port lists in a security group rule only if the protocol type is TCP or UDP. For more information, see Overview.
Authorization object: the source of traffic for inbound rules or the destination of traffic for outbound rules. You can specify the following elements as authorization objects:
IPv4 addresses. Example: 192.168.0.100.
IPv4 CIDR blocks. Example: 192.168.0.0/24.
IPv6 addresses. Example: 2408:4321:180:1701:94c7:bc38:3bfa:9. The IPv6 addresses that you specify are standardized. For example, 2408:180:0000::1 is converted into 2408:180::1.
IPv6 CIDR blocks. Example: 2408:4321:180:1701::/64. The IPv6 CIDR blocks that you specify are standardized. For example, 2408:4321:180:0000::/64 is converted into 2408:4321:180::/64.
Security group IDs. You can specify security groups in the current account or other accounts. If you specify a security group ID as the authorization object in a security group rule, the rule uses the internal IP addresses of ECS instances in the specified security group to control traffic over the internal network. For example, if you specify Security Group A that contains ECS Instance B as the authorization object in a security group rule, the rule controls access to or from the internal IP address of ECS Instance B over the internal network.
Prefix list IDs. A prefix list is a set of one or more network prefixes (CIDR blocks). If you specify a prefix list as the authorization object in a security group rule, the maximum number of entries in the prefix list counts against the rule quota of the security group. For more information, see Overview.
Action: the action to take on traffic. Valid values: Allow and Deny. If a request matches the protocol, port range, and authorization object conditions of a security group rule, the action that you specify in the rule is taken to allow or deny the request.
Priority: the priority of the rule. Valid values: 1 to 100. A smaller value indicates a higher priority. Security group rules are sorted by priority and then by action. For more information, see the Match policy of custom security group rules section in this topic.
Direction: Inbound and outbound rules are supported to control inbound and outbound traffic.
NIC type: The network interface controller (NIC) type is supported only for security group rules in security groups of the classic network type. You can specify the NIC type to configure public or internal security group rules. Public security group rules control traffic over the Internet and take effect on public NICs of ECS instances that are deployed in the classic network. Internal security group rules control traffic over the internal network and take effect on internal NICs of ECS instances that are deployed in the classic network. Security group rules in security groups of the VPC type control traffic over both the Internet and internal network.
Rule ID: When you create a security group rule, the system generates a unique ID for the rule. To modify or delete a security group rule, you can use the rule ID to find the rule.
If a request matches the protocol, port range, and authorization object conditions of a security group rule, the action that you specify in the rule is taken to allow or deny the request. When a general inbound rule is processed, the source IP address of the traffic is matched against the authorization object and the destination port number of the traffic is matched against the port range. When a general outbound rule is processed, the destination IP address of the traffic is matched against the authorization object and the destination port number of the traffic is matched against the port range. To implement more fine-grained access control, we recommend that you use security group quintuple rules. For more information, see Security group quintuple rules.
Match policy of custom security group rules
You can associate an ECS instance with one or more security groups. The system controls inbound and outbound traffic for the instance based on the security group rules that are associated with the instance. For example, the system performs the following steps to process inbound security group rules that are associated with the ECS instance to allow or deny inbound traffic to the instance:
Collect all inbound security group rules and sort the rules by priority and then by action.
Sort the security group rules in descending order of priority. A rule with a smaller priority value has a higher priority.
Rank security group rules whose Action parameter is set to Deny before security group rules whose Action parameter is set to Allow.
The system matches requests with the custom security group rules that are associated with the ECS instance based on the order in which the rules are sorted, protocol type, port range, and authorization object. If a request matches a rule, the action specified in the rule is taken to allow or deny the request.
In addition to custom security group rules, security groups contain default access control rules that take effect but are invisible. For more information, see the Default access control rules section in the "Basic security groups and advanced security groups" topic.
Special rules in security groups
To ensure the stability of ECS instances and the availability of specific cloud features, security groups automatically allow traffic that is generated in specific scenarios. You cannot configure security group rules to deny the traffic. Security groups automatically allow the following traffic:
Traffic for network connectivity checks under special circumstances:
When the underlying components of ECS instances change, Alibaba Cloud may perform on-demand ping tests to check the network connectivity of the instances. To ensure the accuracy of the tests, security groups automatically recognize and allow the ping traffic.
ICMP Path Maximum Transmission Unit Discovery (PMTUD) error packets:
If a packet sent by an ECS instance exceeds the path maximum transmission unit (MTU) and has Don't Fragment (DF) flag set, the ECS instance receives an ICMP error packet that contains the path MTU. The error packet instructs the ECS instance to reduce the packet size. Security groups automatically recognize and allow such error packets. For more information, see Jumbo Frames.
Server Load Balancer (SLB) traffic:
Security groups automatically recognize and allow the traffic that is forwarded to backend ECS instances through SLB instances, such as Application Load Balancer (ALB), Network Load Balancer (NLB), or Classic Load Balancer (CLB) instances. In this case, the inbound and outbound traffic of the ECS instances is controlled by the security groups or access control lists (ACLs) of the SLB instances.
MetaServer access traffic:
MetaServer provides the required metadata service for ECS instances. The metadata service is a basic service that helps ensure ECS instances run as expected. By default, security groups allow outbound traffic to the MetaServer at 100.100.100.200 without the need for additional rules.
Security group quintuple rules
By default, the following limits apply when you configure security groups in the ECS console:
When you configure inbound security group rules, you must specify source IP addresses, destination ports, and protocol types.
When you configure outbound security group rules, you must specify destination IP addresses, destination ports, and protocol types.
You can configure quintuple rules in security groups to control the inbound and outbound traffic of ECS instances in a finer-grained manner. A quintuple rule includes the following elements: source IP address, source port, destination IP address, destination port, and protocol type. Quintuple rules are fully compatible with existing security group rules.
You can specify an IP address of an ECS instance as a destination IP address in an inbound security group rule or as a source IP address in an outbound security group rule to control traffic of the instance. In this case, you must specify the private IP address of the instance, not the static public IP address (public IP address that is automatically assigned to the instance) or elastic IP address (EIP) of the instance. Static public IP addresses and EIPs are NAT IP addresses, which are located on Internet gateways of Alibaba Cloud. Security groups take effect on elastic network interfaces (ENIs) of ECS instances to control the traffic to or from the associated private IP addresses corresponding to NAT IP addresses.
The following sample quintuple rule controls TCP access from 172.16.1.0/32to 10.0.0.1/32over port 22:
Source IP address: 172.16.1.0/32
Source port: 22
Destination IP address: 10.0.0.1/32
Destination port: not specified
Protocol type: TCPTo configure security group quintuple rules in the ECS console, submit a ticket.
Use cases for security groups
Alibaba Cloud provides examples on how to configure security group rules in common scenarios, such as providing web services for websites and connecting to instances.
Case 1: Allow websites deployed on ECS instances to provide web services
Case 2: Allow only specific users to connect to ECS instances
Case 3: Control access to databases deployed on ECS instances
Case 4: Allow only traffic of specific protocols to access ECS instances
Case 6: Restrict access from ECS instances to external websites