A security group is a virtual firewall that provides stateful inspection and packet filtering to create security domains in the cloud. You can configure security group rules to allow or deny access to the public network or private networks for the ECS instances in the security group.
Overview
A security group is a logical group of instances in the same region that share the same security requirements and have mutual trust. Each ECS instance must belong to at least one security group. You must specify a security group when you create an instance. Instances within the same security group can communicate with each other over the private network. By default, instances in different security groups cannot communicate with each other over the private network. However, you can grant access between two security groups.
For more information about security groups, see Security groups.
Import and add security groups
You can attach a security group to a workspace by adding or importing it. After you attach the security group, all resources in the security group automatically belong to the workspace.
Prerequisites
If you want to create a security group for a Virtual Private Cloud (VPC), make sure that you have an active VPC and virtual switch. For more information, see Create a VPC.
Import security groups
Log on to the Resource Management console. In the navigation pane on the left, choose Compute and Network > Security Groups.
Click Import.
In the dialog box that appears, select the security groups to import and click OK.
NoteA security group can belong to only one workspace. The dialog box lists all security groups that belong to the current tenant. You cannot select or import security groups that are already associated with a workspace. For security groups in a VPC, you can import only security groups that were created in the same workspace.
Add a security group
Log on to the Resource Management console. In the navigation pane on the left, choose Compute and Network > Security Groups.
Click Add.
In the Add Security Group dialog box, enter a Name and an optional Description, and then click OK.
Edit a security group
After you create a security group, you can edit its name and description.
Procedure
Log on to the Resource Management console. In the navigation pane on the left, choose Compute and Network > Security Groups.
Find the target security group and click Edit in the Actions column.
The name and description of the security group become editable. After you make the changes, click Save.
Delete and remove security groups
If your business no longer requires one or more security groups, you can delete or remove them.
Prerequisites
The security group that you want to delete or remove must not contain any ECS instances. If the security group contains ECS instances, you must first remove the instances from the security group.
Delete a security group
Log on to the Resource Management console. In the navigation pane on the left, choose Compute and Network > Security Groups.
Find the security group to delete and click Delete in the Actions column. In the dialog box that appears, click OK.
When you delete a security group, all the security group rules within it are also deleted.
Remove a security group
Log on to the Resource Management console. In the navigation pane on the left, choose Compute and Network > Security Groups.
Find the security group to remove and click Remove in the Actions column. In the dialog box that appears, click OK.
A removed security group is not deleted. You can add it to the workspace again by importing it.
Add security group rules
You can add security group rules to allow or deny access to the public network or private networks for the ECS instances in a security group.
Prerequisites
A security group has been created.
Procedure
Log on to the Resource Management console. In the navigation pane on the left, choose Compute and Network > Security Groups.
Find the target security group and click Manage Rules in the Actions column.
Click Add. In the dialog box that appears, configure the rule and click OK.
NIC Type: For security groups in a VPC, only the private network interface controller (NIC) is supported. For security groups in a classic network, you can set the NIC type to private or public.
Rule Direction:
Outbound: Refers to traffic from an ECS instance to other ECS instances on the private network or to resources on the public network.
Inbound: Refers to traffic from other ECS instances on the private network or from resources on the public network to an ECS instance.
Authorization Policy:
Allow: Accepts access requests for the specified port.
Deny: Drops the data packets without sending any response. If two security group rules are identical except for the authorization policy, the deny rule takes precedence over the allow rule.
Protocol Type: TCP, UDP, GRE, ICMP, or All. For more information about the relationship between the port range and protocol type, see Add a security group rule.
Port Range: -1/-1 indicates that all ports are allowed.
Authorization Type: Security Group Access or CIDR Block Access. For more information about the relationship between the authorization type and authorization object, see Add a security group rule.
Authorization Object: Supports formats such as
10.15.6.8/12or10.15.6.18. Separate multiple objects with commas (,).0.0.0.0/0represents all IP addresses. Use this value with caution.Priority: The value ranges from 1 to 100. A smaller value indicates a higher priority.
Delete security group rules
If you no longer need a security group rule, you can delete it.
Prerequisites
A security group has been created.
You have added a security group rule.
Procedure
Log on to the Resource Management console. In the navigation pane on the left, choose Compute and Network > Security Groups.
Find the target security group and click Manage Rules in the Actions column.
Select the corresponding rule type, find the rule to delete, and click Delete in the Actions column. In the dialog box that appears, click OK.