Aliyun How to authorize security group rules

　Aliyun How to authorize security group rules

The Authorization Security group rule allows or prohibits access to the public network and the inbound direction of an ECS instance associated with a security group. You can authorize and revoke security group rules at any time. Your Change security group rule is automatically applied to the ECS instance associated with the security group.

None of the rules in the security group can do this: Allow an ECS instance to be in the direction of access, but disallow the inbound orientation of an ECS instance.

If the rules for the two security groups are the same, but the access rules are different, the access is denied and the access does not take effect.

Operation Steps

Log on to the Cloud Server Management Console.

Click a security group in the left navigation.

Select a region.

Locate the security group for which you want to authorize the rule, and click Configure Rules.

Click Add Security Group rule.

In the dialog box that pops up, set the following parameters:

Network type: public Net | Intranet. If the security group belongs to a proprietary network, select Intranet.

Rule direction: Out Direction | into the direction

Authorization Policy: Allow | Refused

Protocol Type: all | TCP | UDP | ICMP | Gre

Port range: 1~65535 such as 1/200, 80/80, 22/22, -1/-1. Note Even if a port, but also write a range, such as 22/22, can not write only 22, otherwise it will error "IP protocol parameter format is not correct."

Authorization Type: Address segment access | Security group Access

Authorization object: If the authorization type is access to an address segment, the authorized object fills in the IP or CIDR segment format such as: 10.0.0.0 or 0.0.0.0/0 or 192.168.0.0/24. Only IPV4 is supported. If the authorization type is accessed by a security group, the authorization object selects a security group from the list of security groups.

Priority: 1-100, the smaller the number, the higher the priority. For more priority information, see the later chapters of this document.

Click OK to successfully authorize a security group rule for this security group.

ECS Security Group Rule Priority description

The higher the security group priority is created later. For example, if an instance is associated with two security group A and b,a creation times later than B, and under A and B are mutually exclusive rules with the same precedence, the rule of a will take effect.

The priority of security groups is not conventionally understood as "only comparable within a security group" because different security group policies are eventually merged into the associated instance. Therefore, rules with a higher precedence rule will take effect if the rules under different security groups conflict.

Authorization rules with the same priority, and the rule that the authorization policy is drop takes precedence.

Example:

Scenario 1:

Security group A, creation Time 2015, rule 100:drop 80

Security group B, creation time 2014, rule 100:accept 80

Result: 80 port does not pass

Scenario 2:

Security group A, creation Time 2015, rule 100:drop 80

Security group B, creation time 2014, rule 90:accept 80

Result: 80 Port can pass

Scenario 3:

Security group A, creation Time 2015, rule 90:drop 80

Security group B, creation time 2014, rule 100:accept 80

Result: 80 port does not pass

Non-effective solutions

Security Group Policy does not apply the new rule if the packet is transmitted before and after the security policy change, and the packet interval is very short.

The solution is that the client disconnects for a period of time.