• Virtual Private Cloud

vpc
  1. Help Center
  2. Virtual Private Cloud
  3. User Guide
  4. Security
  5. Security Group
  6. Security Group Overview

Security Group Overview

Security Group Basics

A security group is a collection of access control rules for ECSs that have the same security protection requirements and are mutually trusted in a VPC. After a security group is created, you can create different access rules for the security group to protect the ECSs that are added to this security group.

Your account automatically comes with a default security group. The default security group allows all outbound traffic, denies all inbound traffic, and allows all traffic between ECSs in the group. Your ECSs in the security group can communicate with each other without the need to add rules. You can directly use the default security group. For details, see Default Security Groups and Security Group Rules.

You can also create custom security groups to meet your specific service requirements. For details, see Creating a Security Group.

Security Group Rules

After a security group is created, you can add rules to the security group. A rule applies either to inbound traffic (ingress) or outbound traffic (egress). After ECSs are added to the security group, they are protected by the security group rules.

Each security group has default rules. For details, see Table 1. You can also customize security group rules. For details, see Adding a Security Group Rule.

Security Group Constraints

  • By default, you can create a maximum of 100 security groups in your cloud account.
  • By default, each security group can have a maximum of 50 security group rules.
  • By default, an ECS or an ECS extension NIC can be added to a maximum of five security groups.
  • When creating a private network load balancer, you need to select a desired security group. Do not delete the default security group rules or ensure that the following requirements are met:
    • Outbound rule: allows only data packets to the selected security group or only data packets from the peer load balancer.
    • Inbound rule: allows only data packets from the selected security group or only data packets from the peer load balancer.