Overview

Security Group

Security Group Rules

Constraints

• By default, you can add up to 50 security group rules to a security group.
• By default, you can associate no more than five security groups with each cloud server or extended network interface. In such a case, the rules of all the selected security groups are combined and applied together.
• A security group can have no more than 6,000 instances associated, or its performance will deteriorate.
• For inbound security group rules, the sum of the rules with Source set to Security group, of the rules with Source set to IP address group, and of the rules with inconsecutive ports, cannot exceed 120. If there are both IPv4 and IPv6 security group rules, up to 120 rules can be added for each type.

  The limits on outbound security group rules are the same as those on inbound rules.

  For example, to add inbound IPv4 rules to a security group (Sg-A), you can refer to Table 1 for rules that meet the restrictions. Of these rules, rule A02 uses inconsecutive ports (TCP: 22,25,27) and security group Sg-B as the source. In this case, only one quota is occupied.

  Table 1 Inbound security group rules

  Rule No.	Action	Type	Protocol & Port	Source
  Rule A01	Allow	IPv4	All	Current security group: Sg-A
  Rule A02	Allow	IPv4	TCP: 22,25,27	Another security group: Sg-B
  Rule A03	Allow	IPv4	TCP: 80-82	IP address group: ipGroup-A
  Rule A04	Allow	IPv4	TCP: 22-24,25	IP address: 192.168.0.0/16

• Traffic from load balancers is not restricted by Network ACL and security group rules if:

  Transfer Client IP Address is enabled for the listener of a load balancer.

  The load balancer can still forward traffic to backend servers, even if there is a rule that denies traffic from the load balancer to the backend servers.

Recommendations

• Instances in a security group deny all external access requests by default, but you can add rules to allow specific requests.
• When adding a security group rule, grant the minimum permissions possible. For example, if remote login to an ECS over port 22 is allowed, only allow specific IP addresses to log in to the ECS. Do not use 0.0.0.0/0 (all IP addresses).
• Keep your configurations simple. There should be a different reason for each security group. If you use the same security group for all your different instances, the rules in the security group will likely be redundant and complex. It will make it much harder to maintain and manage.
• You can add instances to different security groups based on their functions. For example, if you want to provide website services accessible from the Internet, you can add the web servers to a security group configured for that specific purpose and only allow external access over specific ports, such as 80 and 443. By default, other external access requests are denied. Do not run internal services, such as MySQL or Redis, on web servers that provide services accessible from the Internet. Deploy internal services on servers that do not need to connect to the Internet and associate these servers with security groups specifically configured for that purpose.
• Do not directly modify security group rules for active services. Before you modify security group rules used by a service, you can clone the security group and modify the security group rules in the test environment to ensure that the modified rules work. For details, see Cloning a Security Group.
• After you add instances to or modify rules of a security group, the security group rules are applied automatically. There is no need to restart the instances.

  If a security group rule does not take effect after being configured, see Why Are My Security Group Rules Not Working?

Helpful Links

• Default Security Groups and Rules
• Security Group Configuration Examples
• Configuring Security Group Rules
• Changing a Security Group
• Why Cannot My Windows ECS Access the Internet?
• Why Does My Linux ECS Fail to Access the Internet?