Adding a Security Group Rule

Last updated: 2020-04-02 16:59:04

PDF

Operation Scenario

Security groups are used to determine whether to permit access requests from the Internet or private networks. For security considerations, access denial is adopted in the inbound direction in most cases. If you select the "Open all ports to the Internet" or "Open ports 22, 80, 443, and 3389 and the ICMP protocol to the Internet" template when creating a security group, the system will automatically add security group rules for some communication ports based on the selected template.

This document describes how to add security group rules to allow or forbid CVMs in a security group to access the Internet or VPC instances.

Notes

  • Security group rules are divided into IPv4 and IPv6 security group rules.
  • Open all ports is applicable to both IPv4 and IPv6 security group rules.

Prerequisites

  • You have created a security group.
  • You know what Internet or private network access requests need to be permitted or rejected for your CVM instance. For more use cases of security group rule settings, see Security Group Use Cases.

Steps

  1. Log in to CVM Console.
  2. In the left sidebar, click Security Group to enter the security group management page.
  3. On the security group management page, choose Region, and locate the row of the security group for which you want to set rules.
  4. In the operation column, click Modify Rules.
  5. On the security group rule page, click Inbound rules, and select one of the following modes based on your actual needs to complete the operation.

    The following operation examples use mode 2 (adding rules).

    • Mode 1 (open all ports): is applicable to scenarios in which ICMP protocol rules do not need to be set and operations can be done through ports 22, 3389, 80, 443, 20, and 21, as well as the ICMP protocol.
    • Mode 2 (adding rules): is applicable to scenarios in which multiple communication protocols, such as ICMP, need to be set.
  6. In the Add Inbound Rules window that appears, set rules.
    The main parameters required for adding a rule are as follows:
    • Type: the default value is "Custom". You can also select another system rule template, such as "Windows login", "Linux login", "Ping", "HTTP (80)", or "HTTPS (443)".
    • Source/Destination: the source (inbound rules) or destination (outbound rules) of traffic. Choose one of the following options:
      Specified Source/DestinationDescription
      An IPv4 address or IPv4 address rangeSpecify it in CIDR notation (for example, 203.0.113.0, 203.0.113.0/24, or 0.0.0.0/0, where 0.0.0.0/0 indicates that all IPv4 addresses will be matched).
      An IPv6 address or IPv6 address rangeSpecify it in CIDR notation (for example, FF05::B5, FF05:B5::/60, ::/0, or 0::0/0, where ::/0 or 0::0/0 indicates that all IPv6 addresses will be matched).
      Import security group ID: you can import the following security group IDs:
      • Security group ID
      • Another security group
      • The current security group refers to the CVMs associated with the security group.
      • Another security group refers to the ID of another security group under the same project in the same region.
      Import the IP address object or IP address group object in the parameter template.-
    • Protocol port: enter the protocol type and port range, or import a protocol port or protocol port group in the parameter template.
    • Policy: the default value is "Permit".
      • Permit: permit access requests over the port.
      • Reject: discard data packets directly without returning any response.
    • Remarks: briefly describe the rule to facilitate future management.
  7. Click Finish. Inbound rules are added to the security group.
  8. On the security group rule page, click Outbound Rules, and add outbound rules to the security group by referring to Step 5 to Step 7.