On the main menu of ZStack Cube Ultimate Hybrid Cloud Management, choose Products > Security Group. On the Security Group page, click Create Security Group. Then, the Create Security Group page is displayed.

On the displayed page set the following parameter:

• Name: Enter a name for the security group.
• Description: Optional. Enter a description for the security group.
• VPC: Choose a VPC.
• Initial Rule: Choose an initial rule for the security group. Following four rules are supported:
  • Prohibit All: Prohibits ingress and egress flows from all ports.
  • Allow All: Allows ingress and egress rules flows from all ports.
  • Disable Some Vulnerable Ports: Prohibits only ingress flows from vulnerable ports, such as 135,137, 139, 42, and 445 (Protocol: UDP or TCP).
  • Allow Commonly Used Ports: Allows only ingress flows from commonly used ports, such as 22, 23, 3389, 443, 80, 6379, 8080, 3306, and 1433 (Protocol: UDP or TCP).

On the main menu of ZStack Cube Ultimate Hybrid Cloud Management, choose Products > Security Group. Then, the Security Group page is displayed.

The following lists the actions you can perform on a security group.

Action	Description
Edit Security Group	Edit the name and description of a security group.
Create Security Group	Create a new security group.
Delete Security Group	Delete a security group. Note: By default, the local record of the security group and ECS instances associated with the security group are deleted. If you want to delete the security group on Alibaba Cloud, select the checkbox of Delete Resources on Alibaba Cloud.

On the Security Group page, click the name of a security group. Then, the security group details page is displayed. On the Rule tab of the details page, click Add Rule. Then, the Add Rule page is displayed.

On displayed page, set the following parameters:

• NIC Type: Intranet (Default).
• Rule Direction: Displays the direction you add the rule to.
• Authorization Policy: Select an authorization policy. Valid values: Accept and Reject.
• Protocol: Choose a protocol. Valid values: All, TCP, UDP, ICMP, and GRE. You can choose ALL to allow mutual communications among ECS instances in the group.
• Port Range: Enter the port range the rule takes effect on.
  Note: The port range is affected by the protocol.

  • ALL: The port range is fixed as -1/-1. This value means no limitation on ports.
  • TCP/UDP: The valid port range is 1~65535 by default. Format: m/n (m must be smaller than n). For example, 1/200 means that the port range is 1~200. If you enter 200/1, an error occurs.
  • ICMP: The port range is fixed as -1/-1. This value means no limitation on ports.
  • GRE: The port range is fixed as -1/-1. This value means no limitation on ports.
• Authorization Objects: Enter an intranet CIDR the rule takes effect on.
  Note:

  • Enter a CIDR as needed.
  • If you enter 0.0.0.0/0, you allow or reject accesses from all IP addresses. Exercise caution.
• Priority: Set a priority for the rule. Valid values: 1-100. 1 represents the highest priority. Default: 1.