Security groups are used to manage traffic to and from public and private networks. For the sake of security, most inbound traffic is denied by default. If you selected Open all ports or Open port 22, 80, 443, 3389 and ICMP protocol as the template when creating a security group, rules are automatically created and added to the security group to allow traffic on those ports. For details, refer to Security Groups.
This article describes how to add security group rules to allow or ban traffic to and from public or private networks.
- Security group rules support IPv4 and IPv6 rules.
- Open all ports allows both IPv4 and IPv6 traffic.
- You should have an existing security group. If you do not, refer to Create a Security Group for details.
- You should have a clear understanding about which traffic is allowed or banned for your CVM instance. For more information on security group rules and their use cases, refer to Security group use cases.
- Log in to the CVM Console.
- In the left sidebar, select Security Group. The Security Group page then appears.
- On the Security Group page, select a region, and find the security group for which you want to set rules.
- Locate the desired security group and click the corresponding Modify Rules button to go to the Security Group Rule page.
- Click Inbound rules and choose one of the following methods to add rules.
The following instructions use method two Add a rule as an example.
- Open all ports: this method is ideal if you do not need custom ICMP rules and all traffic goes through ports 20, 21, 22, 80, 443, and 3389 and the ICMP protocol.
- Add a rule: this method is ideal if you need to use multiple protocols and ports other than those mentioned above.
- Click Add a Rule to bring up the Add Inbound Rule window.
Configure the following parameters:
- Type: by default, Custom is selected. You can select other types such as Login Windows CVMs (3389), Login Linux CVMs (22), Ping, HTTP (80), HTTPS (443), MySQL (3306), and SQL Server (1433).
- Source or Destination: traffic origin (inbound rules) or target (outbound rules). You can use one of the following to define Source or Destination:
|Source or Destination||Description|
|IPv4 addresses or ranges|| in CIDR format|
0.0.0.0/0 indicates all IPv4 addresses.
|IPv6 addresses or ranges|| in CIDR format, such as|
0::0/0 indicates all IPv6 addresses.
|ID of referenced security group. You can reference the ID of:|
- Current security group
- Other security group
- Current security group: CVMs associated with the current security group.
- Other security group: ID of another security group in the same region that belongs to the same project.
|Reference IP address objects or IP group objects in a Parameter Template.||-|
- Protocol port:
protocl:port. You can also reference protocol/port or protocol/port groups in a Parameter Template.
- Policy: Allow or Refuse. By default, Allow is selected.
- Allow: traffic to this port is allowed.
- Refuse: data packets are dropped without any response.
- Remarks: a short description of the security group rule.
- Click Complete to finish adding the rule.
- To add an outbound rule, click Outbound rule and refer to Step 5 to Step 7.