<p>You can allow or forbid ECS instances in a security group to access the Internet by configuring security group rules. This article describes how to configure security group rules.</p> <p><strong>Prerequisites</strong></p> <p>You have successfully created a security group. For more information, see Create Security Group.</p> <p><strong>Procedures</strong></p> <p>1．Log in to <a href="#https://yun.pingan.com/console/ecs/overview" target="_blank">ECS Console</a>.</p> <p>2．In the left navigation pane, click <strong>Networks</strong> &gt; <strong>Security Group</strong> to enter the<strong> Security Group</strong> page.</p> <p>3．Select the target region and click the name of the target security group.</p> <p>4．Entering the <strong>Security Group Information</strong> tab, click <strong>Security Group Rules</strong>.</p> <p>5．Then in the upper-right corner, click <strong>Create</strong> to enter the <strong>Create Security Group Rules</strong> page.</p> <p>6．Configure security group rules as described in the following table.</p> <table border="1" cellpadding="0" cellspacing="0"> <tbody> <tr> <td style="background-color:#ededed; vertical-align:top"> <p><strong>Configuration item</strong></p> </td> <td style="background-color:#ededed; vertical-align:top"> <p><strong>Note</strong></p> </td> </tr> <tr> <td style="vertical-align:top"> <p>Rules direction</p> </td> <td style="vertical-align:top"> <p>The direction is OUT or In.</p> <ul> <li>Out means ECS instances in the instance list are authorized to access IP addresses. It refers to the direction from VPC.</li> <li>IN means IP addresses are authorized to accesses ECS instances in the instance list. It refers to the direction to VPC.</li> </ul> </td> </tr> <tr> <td style="vertical-align:top"> <p>Rule type</p> </td> <td style="vertical-align:top"> <p>It is intranet by default.</p> </td> </tr> <tr> <td style="vertical-align:top"> <p>Protocol type</p> </td> <td style="vertical-align:top"> <p>There four types available, including All, TCP, UDP and ICMP.</p> <p>All: select it in cases of full trust.</p> <ul> <li>TCP：It is used to grant or deny accesses to ports. You need to fill in the port range and authorized IP addresses.</li> <li>UDP：It is used to grant or deny accesses to ports. You need to fill in the port range and authorized IP addresses.</li> <li>ICMP: Ping is used to detect the communications between instances, and you only need to fill in authorized IP addresses.</li> </ul> </td> </tr> <tr> <td style="vertical-align:top"> <p>Port range</p> </td> <td style="vertical-align:top"> <p>The port range should not contain any characters other than commas (,) and dashes (-), e.g. 1-200,203,280-289.</p> <p>For example, if you want to open ports 22 and 201-210, please fill in 22, 201-210.</p> <p><strong>Note:</strong></p> <p>For ECS instances of Windows Operating System, please select <strong>TCP</strong> and open port <strong>3389</strong>. For ECS instances of Linux Operating System, please select <strong>TCP</strong> and open port <strong>22</strong>.</p> </td> </tr> <tr> <td style="vertical-align:top"> <p>Authorize IP</p> </td> <td style="vertical-align:top"> <p>IPs to be authorized should be IPV4 address or subnet mask format, e.g. 192.168.99.0/24.</p> </td> </tr> <tr> <td style="vertical-align:top"> <p>Description</p> </td> <td style="vertical-align:top"> <p>Enter a maximum of 50 characters.</p> </td> </tr> </tbody> </table> <p>7．Click <strong>Confirm</strong>.</p> <p><strong>Note</strong>: Security group rules cannot be changed. If you need to update rules, you can only create new ones.</p> <p><strong>Result</strong></p> <p>Upon successful configuration, you will see an <strong>Operation succeeded</strong> message at the bottom of the <strong>Security Group Information</strong> page and you can view the rules just configured.</p>