Build security group configurations with ingress and egress rules, CIDR sources, port ranges, and priority settings.
Last verified: May 2026
Build security group configurations with ingress and egress rules, CIDR sources, port ranges, and priority settings.
Required Fields
securityGroupNamevpcIdOutput will appear here...Alibaba Cloud Security Groups are the per-instance firewall layer for ECS, with separate ingress and egress rule sets. The Alibaba Security Group Builder produces validated rule lists with protocol selection, port ranges, CIDR sources, and priority ordering. Output is JSON-ready for the API or Terraform `alicloud_security_group_rule` resources.
Each rule has a priority (1-100, lower number is higher priority). When multiple rules match, the higher-priority rule wins. Use this to put explicit deny rules above broad allow rules — e.g., 'allow everything from corp-vpn (priority 50)' but 'deny SSH from known-bad-IP (priority 10)'.
Yes — and you should for inter-tier traffic. A rule with the web-tier security group as source means 'allow from any ECS in the web tier security group' without listing IPs. This survives autoscaling, IP changes, and instance replacement automatically.
A pen-test report finds that any compromised ECS instance can pivot freely throughout the VPC because security groups allow `any/any` between tiers. You design a tiered security group set with the builder (web, app, db) and lock inter-tier traffic to specific ports with the appropriate source security group. Pivoting becomes much harder; the next pen-test reduces the impact rating of an initial compromise from critical to medium.
The builder collects security group name, VPC, and ingress/egress rule lists. Each rule has direction, protocol, port range, source/destination (CIDR or another security group), action (accept/drop), priority, and description. Output is Terraform-ready and includes the security group resource plus one rule resource per entry.
Group ECS instances by role and assign each role its own security group. The intersection of security groups governs traffic — far easier to reason about than maintaining IP allowlists per instance.
Always include an explicit egress allowlist for production. The default 'allow all egress' is a foot-gun: a compromised instance can talk to anything. Listing the outbound destinations you actually need narrows the blast radius.
Was this tool helpful?
Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.