A security group acts as a virtual firewall that provides stateful inspection and packet filtering. You can use security groups to define security domains in the cloud. By adding security group rules, you can control the inbound and outbound traffic of elastic container instances within a security group.
Security group overview
A security group is a logical group of instances within the same VPC that share the same security requirements. By adding security group rules, you can allow or deny access to the internet or private networks for the elastic container instances in the security group. You can also control access from the internet or a private network. For more information, see Overview of security groups.
-
A single security group can manage multiple elastic container instances within the same VPC.
-
An elastic container instance must belong to a security group.
Security groups come in two types: basic security group and advanced security group. If you require high scalability and operational efficiency, we recommend using an advanced security group. Compared to basic security groups, advanced security groups support a significantly larger number of instances and simplify rule configuration. For more information about the differences between the two types, see Basic security groups and advanced security groups.
Specify a security group
When you create an elastic container instance, you must assign it to a security group. For information about how to create a security group, see Create a security group.
You cannot change the security group of an elastic container instance after creation. To change the security group, you must recreate the elastic container instance.
API
When you call the CreateContainerGroup operation to create an elastic container instance, you can use the SecurityGroupId parameter to specify a security group. For more information, see CreateContainerGroup.
|
Parameter |
Type |
Example |
Description |
|
SecurityGroupId |
String |
sg-uf66jeqopgqa9hdn**** |
The ID of the security group to assign to the instance. |
Console
When you create an elastic container instance on the Elastic Container Instance buy page, you must select a security group.
In the Network and Security Group section, select a VPC and a VSwitch, and then click Re-select Security Group.
Add security group rules
You can add security group rules to control the inbound and outbound traffic of elastic container instances in a security group. For example:
-
If an elastic container instance needs to communicate with networks outside its security group, you can add an allow rule to enable service interconnection.
-
If you detect malicious attacks from specific sources while an instance is running, you can add a deny rule to implement network isolation.
To add security group rules, see Add a security group rule.