Configure security group rules-API Gateway(API Gateway)-阿里云帮助中心

If the AI gateway and your backend service nodes use different security groups, add a security group rule to grant the gateway access to the service.

Background

A security group acts as a virtual firewall that controls inbound and outbound traffic for ECS instances and elastic network interfaces (ENIs), which improves the security of your instances. A security group is stateful and provides packet filtering. You can use security groups and their rules to define security domains in the cloud. For more information, see Security group overview.

When you purchase an AI gateway, you must select a VPC and a security group type. We recommend that you select the same type as the security group used by your backend service. The AI gateway then creates a managed security group to manage its instance nodes. Because the AI gateway and the backend service nodes are in different security groups, you must add a rule to the backend service's security group that allows access from the gateway on the required port range.

The preceding figure shows how an AI gateway provides network access control and traffic distribution for different services. The connections are as follows:

A client on the left connects to the internal network through the AI gateway.
The AI gateway routes traffic to service-sg1 and service-sg2 based on its configuration.
The Pods in service-sg1 handle requests on port 8080.
The ECS instance in service-sg2 handles requests on the port range 80–9000.

Step 1: Find the security group

You typically deploy upstream services for an AI gateway in an ACK cluster or on an ECS instance. Follow these instructions to find the security group ID.

ACK

Log on to the ACK console. In the left navigation pane, click Clusters.
On the Clusters page, click the name of your cluster. In the left navigation pane, click Nodes > Node Pools.
On the Node Pools page, click the target node, and then click the Basic Information tab to find the security group ID.

ECS

Log in to the ECS console.
In the left-side navigation pane, choose Instances & Images > Instance.
On the Instances page, click the ECS instance where your target service is deployed, and then click the Security Groups tab to find the security group ID.

Step 2: Add a security group rule

Log on to the AI Gateway console.
In the navigation pane on the left, choose Instance. In the top menu bar, select a region.
On the Instance page, click the target instance ID.
In the navigation pane on the left, choose Overview, then click the Security Group Authorizations tab.
In the Security Group ID text box, paste the security group ID that you found in Step 1 and select the matching security group.

After you select the security group, confirm that the Protocol Type is TCP. In the Port Range box, enter a port range and press Enter. Add a Description if needed, and then click Save.
The Port Range must be in the start_port/end_port format.

You can enter multiple port ranges. Press Enter after you enter each range to add it. For example, 1/65535 represents all ports, and 8080/8080 represents the single port 8080.
Click Save.

The AI gateway creates the corresponding rules.

On the Security Group Authorization tab of the gateway, you can see the generated security group rules. In this example, two TCP rules are created for port ranges 1/65535 (all ports) and 8080/8080.

The same rules are also added to the security group of the target node.

For these rules, the authorization policy is Allow, the priority is 1, the protocol type is Custom TCP, the port ranges are 8080/8080 and 1/65535, and the authorization object is the AI gateway's security group.

Delete security group authorization rules

Log on to the AI Gateway console.
In the left-side navigation pane, click Cloud-native API Gateway > Instance. In the top navigation bar, select a region.
On the Instance page, click the target instance ID.
In the navigation pane on the left, choose Overview, then click the Security Group Authorizations tab.
On the Security Group Authorization tab, find the rule you want to remove. In the Actions column, click Delete, and then click OK.

Important

By default, this action deletes the rule from the AI gateway's security group only. To also remove the corresponding rule from the target node's security group, select the The preceding inbound rules in the security group are also deleted. checkbox.

FAQ

Service inaccessibility after adding a rule

You can perform the following checks:

Verify that you added the rule to the correct security group for the node where your target service is deployed.

For example, your service might be deployed on Node A, but you granted authorization to the security group for Node B.
Check if the target node belongs to multiple security groups.

If it does, we recommend that you grant authorization to each security group.

Previously working access now fails

You can perform the following checks:

First, confirm that your service itself is running correctly.

You can run the curl command from another node within the same security group to test service connectivity.
Verify whether the port exposed by your service has changed.

For example, if a service previously used port 8080 and its security group rule only allowed access on that specific port, the connection will fail if the service port changes to 8081. In this case, you must update the rule. To avoid this issue, consider authorizing a wider port range, such as 1/65535, when you configure the rule.