Creating a Security Group

Scenarios

A security group is a collection of access control rules to control the traffic that is allowed to reach and leave the cloud resources that it is associated with. The cloud resources can be cloud servers, containers, databases, and more. Cloud resources associated with the same security group have the same security requirements and are mutually trusted within a VPC. A security group consists of inbound and outbound rules.

If your instances have different Internet access requirements, you can allocate them to different security groups when creating them.

Each ECS must be associated with at least one security group. If you do not have a security group when creating an ECS, the system provides a default security group.

Security Group Templates

The system provides several security group templates for you to create a security group. A security group template has preconfigured inbound and outbound rules. You can select a template based on your service requirements. Table 1 describes the security group templates.

Table 1 Security group templates

Template

Direction

Protocol/Port/Type

Source/Destination

Description

Application Scenario

General-purpose web server

Inbound

TCP: 22 (IPv4)

0.0.0.0/0

Allows all IPv4 addresses to access ECSs in the security group over port 22 (SSH) for remotely logging in to Linux ECSs.

  • Remotely log in to ECSs.

  • Use the ping command to test ECS connectivity.

  • ECSs functioning as web servers provide website access services.

TCP: 3389 (IPv4)

0.0.0.0/0

Allows all IPv4 addresses to access ECSs in the security group over port 3389 (RDP) for remotely logging in to Windows ECSs.

TCP: 80 (IPv4)

0.0.0.0/0

Allows all IPv4 addresses to access ECSs in the security group over port 80 (HTTP) for visiting websites.

TCP: 443 (IPv4)

0.0.0.0/0

Allows all IPv4 addresses to access ECSs in the security group over port 443 (HTTPS) for visiting websites.

ICMP: All (IPv4)

0.0.0.0/0

Allows all IPv4 addresses to access ECSs in the security group over any port for using the ping command to test ECS connectivity.

All (IPv4)

All (IPv6)

sg-xxx

Allows ECSs in the security group to communicate with each other.

Outbound

All (IPv4)

All (IPv6)

0.0.0.0/0

Allows access from ECSs in the security group to any IP address over any port.

All ports open

Inbound

All (IPv4)

All (IPv6)

sg-xxx

Allows ECSs in the security group to communicate with each other.

Opening all ECS ports in a security group poses security risks.

All (IPv4)

All (IPv6)

0.0.0.0/0

Allows all IP addresses to access ECSs in the security group over any port.

Outbound

All (IPv4)

All (IPv6)

0.0.0.0/0

Allows access from ECSs in the security group to any IP address over any port.

Fast-add rule

Inbound

All (IPv4)

All (IPv6)

sg-xxx

Allows ECSs in the security group to communicate with each other.

You can select protocols and ports that the inbound rule will apply to.

If you do not select any protocols and ports, no protocols and ports will be opened. After the security group is created, add required rules by referring to Adding a Security Group Rule.

Custom port and protocol

0.0.0.0/0

Allows all IP addresses to access ECSs in a security group over specified ports (TCP or ICMP) for different purposes.

Outbound

All (IPv4)

All (IPv6)

0.0.0.0/0

::/0

Allows access from ECSs in the security group to any IP address over any port.

Notes and Constraints

If you have not created any security groups yet, the system automatically creates a default security group for you and associates it with the instance (such as an ECS) when you create it.

The default security group name is default. For details, see Default Security Group and Its Rules.

Procedure

  1. Log in to the management console.

  2. Click image1 in the upper left corner and select the desired region and project.

  3. Click image2 in the upper left corner and choose Network > Virtual Private Cloud.

    The Virtual Private Cloud page is displayed.

  4. In the navigation pane on the left, choose Access Control > Security Groups.

    The security group list is displayed.

  5. In the upper right corner, click Create Security Group.

    The Create Security Group page is displayed.

  6. Configure the parameters as prompted.

    **Figure 1** Create Security Group

    Figure 1 Create Security Group

    Table 2 Parameter description

    Parameter

    Description

    Example Value

    Name

    Mandatory

    Enter the security group name.

    The security group name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces.

    Note

    You can change the security group name after a security group is created. It is recommended that you give each security group a different name.

    sg-AB

    Enterprise Project

    Mandatory

    When creating a security group, you can add the security group to an enabled enterprise project.

    An enterprise project facilitates project-level management and grouping of cloud resources and users. The name of the default project is default.

    default

    Template

    Mandatory

    The system provides several security group templates for you to create a security group. A security group template has preconfigured inbound and outbound rules. You can select a template based on your service requirements.

    Table 1 describes the security group templates.

    General-purpose web server

    Description

    Optional

    Supplementary information about the security group. This parameter is optional.

    The security group description can contain a maximum of 255 characters and cannot contain angle brackets (< or >).

    N/A

  7. Confirm the inbound and outbound rules of the template and click OK.