Help Center> Elastic Cloud Server> User Guide> Security> Security Groups> Overview
Updated on 2024-04-18 GMT+08:00
View PDF

Overview

Security Group

A security group is a collection of access control rules for ECSs that have the same security protection requirements and that are mutually trusted. After a security group is created, you can create various access rules for the security group, these rules will apply to all ECSs added to this security group.

You can also customize a security group or use the default one. The system provides a default security group for you, which permits all outbound traffic and denies inbound traffic. ECSs in a security group are accessible to each other. For details about the default security group, see Default Security Group and Rules.

If two ECSs are in the same security group but in different VPCs, the security group does not take effect. You can use a VPC peering connection to connect the two VPCs first. For details, see VPC Connectivity.

Security Group Rules

After a security group is created, you can add rules to the security group. A rule applies either to inbound traffic (ingress) or outbound traffic (egress). After ECSs are added to the security group, they are protected by the rules of that group.

Each security group has default rules. For details, see Default Security Group and Rules. You can also customize security group rules. For details, see Configuring Security Group Rules.

Security Group Constraints

  • For better network performance, you are advised to associate an instance with no more than five security groups.
  • A security group can have no more than 6,000 instances associated, or its performance will deteriorate.
  • For inbound security group rules, the sum of the rules with Source set to Security group, the rules with Source set to IP address group, and the rules with inconsecutive ports, cannot exceed 128. Outbound rules also have this restriction.
    • When Source is set to Security group, you can select the current security group or a different security group.
    • An example of inconsecutive ports is 22,25,27.
  • If you specify an IP address group or inconsecutive ports for a security group rule, the rule is only applied for certain ECSs. For details, see Table 1.
    Table 1 Scenarios that security group rules do not take effect

    Rule Configuration

    ECS Type

    Source or Destination is set to IP address group.
    The following x86 ECS types are not supported:
    • General computing (S1, C1, and C2 ECSs)
    • Memory-optimized (M1 ECSs)
    • High-performance computing (H1 ECSs)
    • Disk-intensive (D1 ECSs)
    • GPU-accelerated (G1 and G2 ECSs)
    • Large-memory (E1, E2, and ET2 ECSs)

    Port is set to non-consecutive ports.

    The following x86 ECS types are not supported:

    • General computing (S1, C1, and C2 ECSs)
    • Memory-optimized (M1 ECSs)
    • High-performance computing (H1 ECSs)
    • Disk-intensive (D1 ECSs)
    • GPU-accelerated (G1 and G2 ECSs)
    • Large-memory (E1, E2, and ET2 ECSs)

    All Kunpeng ECS flavors do not support inconsecutive ports.

    If you use inconsecutive port numbers in a security group rule of a Kunpeng ECS, this rule and rules configured after this one do not take effect.

    If you configure security group rule A with inconsecutive ports 22,24 and then configure security group rule B with port 9096, both rule A and rule B do not take effect.
Parent topic: Security Groups