Elastic Cloud Server (ECS) is a cloud server provided by eSurfing Cloud. Security Group is a virtual firewall used to set up network access control for cloud server instances, which usually existing as a traffic access trustlist. The following are some best practices for ECS security groups:

Open Principle

· Deny all traffic by default: It's a good security practice to create a new security group rule that denies all inbound and outbound traffic by default.

· Only open necessary ports and protocols, avoid using the 0.0.0.0/0 rule: According to application requirements, only open necessary ports and protocols, such as HTTP (port 80), HTTPS (port 443), etc. Avoid opening unnecessary ports to reduce the attack surface.

Grouping Principle

· Group based on application requirements: You can group security group rules based on the requirements of applications or services. For example, you can put rules related to web servers in one web security group and rules related to database servers in another database security group. This allows for better management and organization of security group rules, exposing different access rules and permissions.

· Avoid over-complication: Try to avoid creating too many security groups to avoid complicating management and maintenance. Reasonable division of security groups according to actual situations to keep them simple and easy to manage.

Authorization Principle

· Based on the principle of least privilege: When authorizing a security group, follow the principle of least privilege and grant only the access required for the instance. Only necessary ports and IP address ranges are opened to avoid excessive authorization and reduce potential security risks.

· Restricted access source: According to actual needs, restrict access to the source IP address or IP segment. Only specific IP addresses or IP segments are allowed to access the cloud server to improve the security.

Security Principle

· Regularly review and update security group rules: Regularly review security group rules to ensure that only necessary ports and IP addresses are allowed access. If some rules are no longer needed or pose security risks, update and delete them in time.

· Enable logging and monitoring: Enable the logging function of the security group to audit and monitor network traffic. Identify potential security problems in time and take appropriate measures.

· Use network security combination ACL: Combined with the Access Control List (ACL), traffic can be controlled at a more granular network level, providing an additional layer of security.

Change security group rules

Users can refer to Configuring Security Group Rules to configure security group rules. If you want to change the security group rules, you need to be aware that changing the security group rules may affect the network communication between user instances. Usually, we choose to release the necessary instances, and then implement the security group policy tightening changes to ensure the necessary network communication.

· Add the instances that requires mutual access to a newly created security group, and then implement the changes.

· If the authorization type is security group access, add the security group ID bound to the peer instance that requires mutual access as the authorization object.

· If the authorization type is address segment access, add the Intranet IP of the peer instance that requires mutual access as the authorization object.