Skip to Content
Product IntroductionIntroduction to Security Group

Introduction to Security Groups

Overview of Security Groups

A security group is a stateful, packet-filtering virtual firewall capable of network access control between different VPCs and instances within the same VPC.

Current supported instances: cloud hosts, virtual network cards;

Description of initial rules of the security group

The instance within the security group limits the inbound traffic and allows all outbound traffic if the user enables the security group but does not configure any security group rules.

Execution order of security group rules

Matching is carried out according to the priority. First, match the priority between security groups, and then match the priority of rules within the security group (the smaller the number, the higher the priority):

Priority between groups: The priority between different security groups under the same instance. The smaller the value, the higher the priority. The values cannot be repeated, and the value range is from 1 to 5.

Rule priority: The priority between different rules within the same security group. The smaller the value, the higher the priority. The values cannot be repeated, and the value range is from 1 to 200.

Template of security group rules

A common WEB server template is provided by default: the instance inside the security group allows TCP ports 22, 3389, 80, 443 and ICMP protocol, allows all internal network segments, and allows all outbound traffic.

Operation process of a security group

The operation process of a security group is shown as below:

img

Security groups and internet firewalls can coexist

If the security group and the Internet firewall coexist, the traffic accessing the instances inside the security group from the Internet will be processed by the Internet firewall rules first, and the allowed traffic will be processed by the security group rules, finally reaching the instance inside the security group. Conversely, the traffic from the instance inside the security group to the Internet will be processed by the security group rules first. After being allowed, it will pass through the Internet firewall rules. All allowed traffic can access the Internet.

Usage limitations of the security group

1, Supported model types: Outstanding Cloud Host (Virtual Machine), Virtual Network Card

2, Usage limitations:

 1)A single instance can bind up to 5 security groups;

 2)A maximum of 50 inbound and outbound rules under one security group;

 3)A maximum of 100 instances can be bound under one security group;

 4)A single company ID can create up to 50 security groups.

Other usage notes of security groups

1, The security group can only bind instances under the same VPC;

2, Different network cards on the same cloud host are completely independent instances and can bind different security groups;

3, It is recommended that VIPs drift only between instances that are bound to the same security group;

4, For a cloud host that originally has an external network firewall configured, when changing the security rules to use a security group, the security group rules will only take effect after the host migration is completed. At this time, both the security group rules and the firewall rules will coexist on this cloud host;

5, The security group does not currently support IPv6.

Introduction to Network ACLIntroduction to Routing Table