Note the following before configuring security group rules:
You need to add inbound rules to allow specific traffic to the instances in the security group.
Direction |
Type |
Protocol & Port |
Destination |
Description |
---|---|---|---|---|
Outbound |
IPv4 |
All |
0.0.0.0/0 |
This rule allows the instances in the security group to access any IPv4 address over any port. |
Outbound |
IPv6 |
All |
::/0 |
This rule allows the instances in the security group to access any IPv6 address over any port. |
A security group denies all external requests by default. To remotely log in to an ECS in a security group from a local server, add an inbound rule based on the OS running on the ECS.
Direction |
Type |
Protocol & Port |
Source |
---|---|---|---|
Inbound |
IPv4 |
TCP: 22 |
IP address: 0.0.0.0/0 |
Direction |
Type |
Protocol & Port |
Source |
---|---|---|---|
Inbound |
IPv4 |
TCP: 3389 |
IP address: 0.0.0.0/0 |
If the source is set to 0.0.0.0/0, any IP address can be used to remotely log in to the ECS. To ensure security, set the source to a specific IP address based on service requirements. For details about the configuration example, see Table 4.
By default, a security group denies all external requests. If you need to remotely connect to an ECS from a local server to upload or download files, you need to enable FTP ports 20 and 21.
Direction |
Type |
Protocol & Port |
Source |
---|---|---|---|
Inbound |
IPv4 |
TCP: 20-21 |
IP address: 0.0.0.0/0 |
You must first install the FTP server program on the ECSs and check whether ports 20 and 21 are working properly.
A security group denies all external requests by default. If you have set up a website on an ECS that can be accessed externally, you need to add an inbound rule to the ECS security group to allow access over specific ports, such as HTTP (80) and HTTPS (443).
Direction |
Type |
Protocol & Port |
Source |
---|---|---|---|
Inbound |
IPv4 |
TCP: 80 |
IP address: 0.0.0.0/0 |
Inbound |
IPv4 |
TCP: 443 |
IP address: 0.0.0.0/0 |
Ping works by sending an Internet Control Message Protocol (ICMP) Echo Request. To ping an ECS from your PC to verify the network connectivity, you need to add an inbound rule to the security group of the ECS to allow ICMP traffic.
Direction |
Type |
Protocol & Port |
Source |
---|---|---|---|
Inbound |
IPv4 |
ICMP: All |
IP address: 0.0.0.0/0 |
Inbound |
IPv6 |
ICMP: All |
IP address: ::/0 |
Instances in the same VPC but associated with different security groups cannot communicate with each other. If you want ECSs in security group sg-A to access MySQL databases in security group sg-B, you need to add an inbound rule to security group sg-B to allow access from ECSs in security group sg-A.
Direction |
Type |
Protocol & Port |
Source |
---|---|---|---|
Inbound |
IPv4 |
TCP: 3306 |
Security group: sg-A |
Direction |
Type |
Protocol & Port |
Source |
Description |
---|---|---|---|---|
Inbound |
IPv4 |
TCP: 3306 |
Security group: sg-A |
This rule allows the ECSs in security group sg-A to access the MySQL database service. |
Inbound |
IPv4 |
TCP: 1521 |
Security group: sg-B |
This rule allows the ECSs in security group sg-B to access the Oracle database service. |
Inbound |
IPv4 |
TCP: 1433 |
IP address: 172.16.3.21/32 |
This rule allows the ECS whose private IP address is 172.16.3.21 to access the MS SQL database service. |
Inbound |
IPv4 |
TCP: 5432 |
IP address: 192.168.0.0/24 |
This rule allows ECSs whose private IP addresses are in the 192.168.0.0/24 network to access the PostgreSQL database service. |
In this example, the source is for reference only. Set the source address based on your requirements.
By default, a security group allows all outbound traffic. Table 11 lists the default rules. If you want to allow ECSs to access specific websites, configure the security group as follows:
Direction |
Type |
Protocol & Port |
Destination |
Description |
---|---|---|---|---|
Outbound |
IPv4 |
TCP: 80 |
IP address: 132.15.XX.XX |
This rule allows ECSs in the security group to access the external website at http://132.15.XX.XX:80. |
Outbound |
IPv4 |
TCP: 443 |
IP address: 145.117.XX.XX |
This rule allows ECSs in the security group to access the external website at https://145.117.XX.XX:443. |
Direction |
Type |
Protocol & Port |
Destination |
Description |
---|---|---|---|---|
Outbound |
IPv4 |
All |
0.0.0.0/0 |
This rule allows the instances in the security group to access any IPv4 address over any port. |
Outbound |
IPv6 |
All |
::/0 |
This rule allows the instances in the security group to access any IPv6 address over any port. |