Security Groups

What is a security group?

Security groups are logically isolated groups of instances that are located within the same region and share the same security requirements while also being mutually accessible. They act as virtual firewalls that provide Stateful Packet Inspection (SPI), also known as dynamic packet filtering. In a security group, security group rules can be used to grant or limit the access of ECS instances to the Internet or local private networks.

Limits

Security groups have the following limits:

  • Each instance must belong to at least one security group. When you create an instance, you must specify the security group to which the instance will belong.
  • By default, instances in different security groups cannot communicate with each other. However, you can set security group rules to authorize mutual access between two security groups.
  • The maximum session timeout for a security group is 910s.

Create a security group

A security group is a virtual firewall for an ECS instance. This topic describes how to create a security group in the ECS console.

Background

An ECS instance must belong to one or more security groups. If no security group is created when you create an ECS instance, a default security group will be created. The default security group only has inbound rules configured for the ICMP protocol, SSH port 22, RDP port 3389, HTTP port 80, and HTTPS port 443. For more information, see Security group overview. If you do not want the ECS instance to be added to the default security group, you can create a security group as described in this topic.

Prerequisites

If you want to create a VPC-type security group, confirm that a VPC and a VSwitch have been created. For more information, see Create a VPC and a VSwitch.

Procedure

1. Log on to the ECS console.

2. In the left-side navigation pane, choose Network & Security > Security Groups.

3. Click Create Security Group.

4. In the Create Security Group dialog box, configure the following parameters:

  • Template: If the instances in the security group are for Web server deployment, select a suitable template to simplify security group rule configuration.TemplateDescriptionScenarioWeb Server LinuxInbound traffic to TCP port 80, TCP port 443, TCP port 22, and for the ICMP protocol is allowed by default. A Web server must be deployed on the Linux instances in the security group. Web Server WindowsBy default, inbound traffic to TCP port 80, TCP port 443, TCP port 3389, and for the ICMP protocol is allowed.A Web server must be deployed on the Windows instances in the security group.CustomizeAfter creating a security group, you need to add security group rules. Not for Webserver
  • Security Group Name: specify a valid security group name.
  • Description: the description of the security group for later management.
  • Security Group Type:
    • Basic Security Group: can be used in scenarios that have higher requirements for refined network control, and prefer multiple ECS instance types and moderate network connections. For more information, see Security group overview.
    • Advanced Security Group: can be used in scenarios that have higher requirements for O&M efficiency, ECS instance specifications, and computing nodes. For more information, see Advanced security group overview.Note An ECS instance cannot be added to both a basic security group and an advanced security group.
  • Network Type:
    • To create a classic network-type security group, select Classic.
    • To create a VPC-type security group, select VPC and then a specific VPC.Note You must select VPC for an advanced security group.