Security Group Configuration Examples

When you create instances, such as cloud servers, containers, and databases, in a VPC subnet, you can use the default security group or create a security group. You can add inbound and outbound rules to the default or your security group to control traffic from and to the instances in the security group. Here are some common security group configuration examples:

Precautions

Note the following before configuring security group rules:

  • Instances associated with different security groups are isolated from each other by default.

  • Generally, a security group denies all external requests by default.

    You need to add inbound rules to allow specific traffic to the instances in the security group.

  • By default, outbound security group rules allow all requests from the instances in the security group to access external resources.

    If outbound rules are deleted, the instances in the security group cannot communicate with external resources. To allow outbound traffic, you need to add outbound rules by referring to Table 1.

    Table 1 Default outbound rules in a security group

    Direction

    Type

    Protocol & Port

    Destination

    Description

    Outbound

    IPv4

    All

    0.0.0.0/0

    Allows the instances in the security group to access any IPv4 address over any port.

    Outbound

    IPv6

    All

    ::/0

    Allows the instances in the security group to access any IPv6 address over any port.

Remotely Logging In to an ECS from a Local Server

A security group denies all external requests by default. To remotely log in to an ECS in a security group from a local server, add an inbound rule based on the OS running on the ECS.

  • To remotely log in to a Linux ECS using SSH, enable port 22. For details, see Table 2.

  • To remotely log in to a Windows ECS using RDP, enable port 3389. For details, see Table 3.

    Table 2 Remotely logging in to a Linux ECS using SSH

    Direction

    Type

    Protocol & Port

    Source

    Inbound

    IPv4

    TCP: 22

    IP address: 0.0.0.0/0

    Table 3 Remotely logging in to a Windows ECS using RDP

    Direction

    Type

    Protocol & Port

    Source

    Inbound

    IPv4

    TCP: 3389

    IP address: 0.0.0.0/0

    Important

    If the source is set to 0.0.0.0/0, any IP address can be used to remotely log in to the ECS. To ensure security, set the source to a specific IP address based on service requirements. For details about the configuration example, see Table 4.

    Table 4 Remotely logging in to an ECS using a specified IP address

    ECS Type

    Direction

    Type

    Protocol & Port

    Source

    Linux ECS

    Inbound

    IPv4

    TCP: 22

    IP address: 192.168.0.0/24

    Windows ECS

    Inbound

    IPv4

    TCP: 3389

    IP address: 10.10.0.0/24

Remotely Connecting to an ECS from a Local Server to Upload or Download FTP Files

By default, a security group denies all external requests. If you need to remotely connect to an ECS from a local server to upload or download files, you need to enable FTP ports 20 and 21.

Table 5 Remotely connecting to an ECS from a local server to upload or download files

Direction

Type

Protocol & Port

Source

Inbound

IPv4

TCP: 20-21

IP address: 0.0.0.0/0

Important

You must first install the FTP server program on the ECSs and check whether ports 20 and 21 are working properly.

Setting Up a Website on an ECS to Provide Services Externally

A security group denies all external requests by default. If you have set up a website on an ECS that can be accessed externally, you need to add an inbound rule to the ECS security group to allow access over specific ports, such as HTTP (80) and HTTPS (443).

Table 6 Setting up a website on an ECS to provide services externally

Direction

Type

Protocol & Port

Source

Inbound

IPv4

TCP: 80

IP address: 0.0.0.0/0

Inbound

IPv4

TCP: 443

IP address: 0.0.0.0/0

Using ping Command to Verify Network Connectivity

Ping works by sending an Internet Control Message Protocol (ICMP) Echo Request. To ping an ECS from your PC to verify the network connectivity, you need to add an inbound rule to the security group of the ECS to allow ICMP traffic.

Table 7 Using ping command to verify network connectivity

Direction

Type

Protocol & Port

Source

Inbound

IPv4

ICMP: All

IP address: 0.0.0.0/0

Inbound

IPv6

ICMP: All

IP address: ::/0

Enabling Communications Between Instances in Different Security Groups

Instances in the same VPC but associated with different security groups cannot communicate with each other. If you want ECSs in security group sg-A to access MySQL databases in security group sg-B, you need to add an inbound rule to security group sg-B to allow access from ECSs in security group sg-A.

Table 8 Enabling communications between instances in different security groups

Direction

Type

Protocol & Port

Source

Inbound

IPv4

TCP: 3306

Security group: sg-A

Allowing External Instances to Access the Database Deployed on an ECS

A security group denies all external requests by default. If you have deployed a database on an ECS and want the database to be accessed from external instances on a private network, you need to add an inbound rule to the security group of the ECS to allow access over corresponding ports. Here are some common ports for databases:

  • MySQL: port 3306

  • Oracle: port 1521

  • MS SQL: port 1433

  • PostgreSQL: port 5432

  • Redis: port 6379

Table 9 Allowing external instances to access the database deployed on an ECS

Direction

Type

Protocol & Port

Source

Description

Inbound

IPv4

TCP: 3306

Security group: sg-A

Allows the ECSs in security group sg-A to access the MySQL database service.

Inbound

IPv4

TCP: 1521

Security group: sg-B

Allows the ECSs in security group sg-B to access the Oracle database service.

Inbound

IPv4

TCP: 1433

IP address: 172.16.3.21/32

Allows the ECS whose private IP address is 172.16.3.21 to access the MS SQL database service.

Inbound

IPv4

TCP: 5432

IP address: 192.168.0.0/24

This rule allows ECSs whose private IP addresses are in the 192.168.0.0/24 network to access the PostgreSQL database service.

Important

In this example, the source is for reference only. Set the source address based on your requirements.

Allowing ECSs to Access Specific External Websites

By default, a security group allows all outbound traffic. Table 11 lists the default rules. If you want to allow ECSs to access specific websites, configure the security group as follows:

  1. Add outbound rules to allow traffic over specific ports to specific IP addresses.

    Table 10 Allowing ECSs to access specific external websites

    Direction

    Type

    Protocol & Port

    Destination

    Description

    Outbound

    IPv4

    TCP: 80

    IP address: 132.15.XX.XX

    Allows ECSs in the security group to access the external website at http://132.15.XX.XX:80.

    Outbound

    IPv4

    TCP: 443

    IP address: 145.117.XX.XX

    Allows ECSs in the security group to access the external website at https://145.117.XX.XX:443.

  2. Delete the original outbound rules that allow all traffic.

    Table 11 Default outbound rules in a security group

    Direction

    Type

    Protocol & Port

    Destination

    Description

    Outbound

    IPv4

    All

    0.0.0.0/0

    Allows the instances in the security group to access any IPv4 address over any port.

    Outbound

    IPv6

    All

    ::/0

    Allows the instances in the security group to access any IPv6 address over any port.