A security group is a virtual firewall that can filter stateful data packets. As an important means for network security isolation, it can be used to set network access controls for ECM, ELB, ENI, and other resources while controlling their outbound and inbound traffic.
You can configure security group rules to allow or reject inbound and outbound traffic of instances within the security group.
The security group feature of ECM is logically isolated from the public security group feature in the central cloud. Central cloud products such as CVM cannot be associated with a security group in ECM, and ECM resources such as ECM module, ECM instance, and ELB cannot be directly associated with a public security group in the central cloud. If you have already created a public security group, you can import its data, and a security group data record for ECM will be automatically generated after the import.
Resources such as ECM instances, ELB instances, and ENIs with the same network security isolation requirements can be put into the same logical security group.
By default, instances in the same security group are not interconnected, unless you allow them by specifying rules.
A security group is stateful. If it has no rules after being created, it will reject all traffic by default. For the allowed inbound/outbound traffic, it will allow the traffic to be flowed automatically, and vice versa.
You can modify security group rules at any time, and the new rules will take effect immediately.
Usage Limits
ECM security group use limits and quotas are as detailed below:
Feature Description
Quantity
Maximum number of created security groups
200
Maximum number of outbound (inbound) rules per security group
100
Maximum number of ECM instances associated with each security group
2,000
Maximum number of ECM modules associated with each security group
100
Maximum number of security groups associated with each ECM resource (such as instance and ENI)
5
Maximum number of security groups associated with each ECM module
5
Maximum number of security group IDs that can be referenced by a security group
10
Security Group Rules
Components
A security group rule consists of:
Source: IP address of the source data (inbound) or target data (outbound)
Protocol Type and Protocol Port: protocol type, such as TCP, UDP, HTTP, etc.
Policy: Allow or Reject.
Rule priorities
The rules in a security group are prioritized from top to bottom. The rule at the top of the list has the highest priority and will take effect first, while the rule at the bottom has the lowest priority and will take effect last.
If there is a rule conflict, the rule with the higher priority will prevail by default.
If there is inbound/outbound traffic to/from an instance bound to a security group, the rules in the security group will be matched one by one from top to bottom. If a rule is matched successfully, the traffic hitting the rule will not match lower rules.
Multiple security groups
An instance can be bound to one or multiple security groups. When it is bound to multiple security groups, the security group rules will be matched sequentially from top to bottom. You can adjust the priorities of security groups at any time.
Security Group Templates
When creating a security group, you can select one of the two security group templates provided by Tencent Cloud:
Open all ports: all inbound and outbound traffic will be allowed to pass.
Open major ports: port TCP 22 (for Linux SSH login), ports 80 and 443 (for web service), port 3389 (for Windows remote login), the ICMP protocol (for ping commands), and the private network will be open to the internet.
Directions
The following figure shows you how to use a security group:
