Virtual Private Cloud Adding Security Group Rule-Operation Guide-Help & Documentation-Tencent Cloud

Scenario
Security groups are used to determine whether to permit access requests from public or private networks. For security reasons, access denial is adopted for the inbound direction in most cases. If you select the Open all ports or Open ports 22, 80, 443, 3389, and protocol ICMP template when creating a security group, the system will automatically add security group rules for some communication ports based on the selected template. For more information, see Overview.
This document describes how to add security group rules to allow or forbid CVMs in a security group to access public or private networks.
Supports and Limits
Security group rules are divided into IPv4 and IPv6 security group rules.
Open all common ports applies to both IPv4 and IPv6 security group rules.
Preparations
You have already created a security group. For operation instructions, see Creating a Security Group.
You know what public or private network access requests should be permitted or rejected for your CVM instance. For more use cases of security group rule settings, see Use Cases of Security Groups.
Instructions
1. Log in to the security group console and go to the security group management page.
2. Select a region and locate the security group for which you want to set rules.
3. In the row of the security group, click Modify rule in the Operation column.
4. On the Security Group Rules
 page, click Inbound Rules and complete the operation in any of the following ways based on your actual needs.
Note
 The following instructions use Add a Rule as an example.
Open all ports: this method is ideal if you do not need custom ICMP rules and all traffic goes through ports 20, 21, 22, 80, 443, and 3389 and the ICMP protocol.
Add a Rule: this method is ideal if you need to use multiple protocols and ports other than those mentioned above.
5. In the Add Inbound Rule window that appears, configure the rules.
﻿
The primary parameters for adding a rule are as follows:
Type: by default, Custom is selected. You can select other types such as Login Windows CVMs (3389), Login Linux CVMs (22), Ping, HTTP (80), HTTPS (443), MySQL (3306), and SQL Server (1433).
Source or Destination: traffic origin (inbound rules) or target (outbound rules). You can use one of the following to define Source or Destination:
Source
Notes
IP Address or CIDR Block
Use CIDR notation to specify the IP address (IPv4, such as 203.0.113.0, 203.0.113.0/24, or 0.0.0.0/0, where 0.0.0.0/0 represents all IPv4 addresses. IPv6, such as FF05::B5, FF05:B5::/60, ::/0, or 0::0/0, where ::/0 or 0::0/0 represents all IPv6 addresses).
Parameter Template - IP Address
Refer to the IP address object in the Parameter Template.
Parameter Template - IP Address Group
Refer to the IP address group object in the Parameter Template.
Security Group
﻿
Referencing a security group ID. You can reference the ID of the following security groups:
Current Security Group: The current security group denotes the security group ID associated with the cloud server.
Other Security Group: The other security group denotes another security group ID within the same project in the same region.
Note:
Referencing a security group ID is an advanced feature. The rules of the referenced security group are not added to the current security group.
If you enter a security group ID in Source or Target when configuring a security group rule, only the private IP addresses of the CVM instances and the ENIs that are bound to this security group ID are used as the source and destination, excluding public IP addresses.
﻿
Note
The "/number" following an IP address represents the subnet mask, where number indicates the length of the network portion in the subnet mask. For example, 192.168.0.0/24 represents an IP range, and the subnet mask "/24" indicates that the first 24 bits of 192.168.0.0 are network bits, while the last 8 bits are host bits. Thus, within the 192.168.0.0/24 subnet, the assignable host IP range is from 192.168.0.0 to 192.168.0.255.
Protocol:port: Enter the protocol type and port range. Supported protocol types include TCP, UDP, ICMP, ICMPv6, and GRE. You can reference the protocol ports or protocol port groups in a parameter template.
Policy: Allow or Reject. Allow is selected by default.
Allow: Allow access requests to the port.
Reject: Discard data packets directly without returning any response.
Remark: Briefly describe the rule to facilitate future management.
6. Click OK to finish adding the inbound rule.
7. On the security group rule page, click Outbound rules, and add an outbound rule by referring to Step 4 to Step 7.

Source	Notes
IP Address or CIDR Block	Use CIDR notation to specify the IP address (IPv4, such as 203.0.113.0, 203.0.113.0/24, or 0.0.0.0/0, where 0.0.0.0/0 represents all IPv4 addresses. IPv6, such as FF05::B5, FF05:B5::/60, ::/0, or 0::0/0, where ::/0 or 0::0/0 represents all IPv6 addresses).
Parameter Template - IP Address	Refer to the IP address object in the Parameter Template.
Parameter Template - IP Address Group	Refer to the IP address group object in the Parameter Template.
Security Group	Referencing a security group ID. You can reference the ID of the following security groups: Current Security Group: The current security group denotes the security group ID associated with the cloud server. Other Security Group: The other security group denotes another security group ID within the same project in the same region. Note: Referencing a security group ID is an advanced feature. The rules of the referenced security group are not added to the current security group. If you enter a security group ID in Source or Target when configuring a security group rule, only the private IP addresses of the CVM instances and the ENIs that are bound to this security group ID are used as the source and destination, excluding public IP addresses.

Adding Security Group Rule

On this page:

Scenario

Supports and Limits

Preparations

Instructions