Alibaba Cloud Singapore Server Port Configuration And Security Group Rules Practical Guide

first log in to the alibaba cloud console, enter the ecs console and select the region where your instance belongs (for example , ap-southeast-1 singapore). after locating the target instance, view the associated security group and click "configure rules" or "security group rules". select "add security group rule" in "inbound rules", fill in the protocol (tcp/udp/all), port range (such as 22, 80, 443 or a custom port such as 8080), authorization object (it is recommended to fill in a specific ip whitelist or cidr, such as 1.2.3.4/32) and purpose description, and then save.

pay attention to also check whether the operating system firewall (such as iptables, ufw or firewalld) in the instance and the application are listening on the corresponding port. if the instance uses an elastic public ip (eip), ensure that the eip has been correctly bound and that the routing table/subnet does not restrict external access.

alibaba cloud security groups are instance-based virtual firewalls that are usually stateful: once incoming connections are allowed, reply traffic will be automatically allowed. there is no explicit priority between security group rules; rules are evaluated in parallel and take effect as long as one rule matches. security groups do not support explicit "deny" rules and can only be restricted by default.

when designing a whitelist, it is recommended to follow the principle of least privilege: only allow fixed management ip or vpn address segments for management ports (such as 22 /ssh, 3389/rdp); consider allowing 0.0.0.0/0 for web services (80/443) but combining waf and current limiting strategies; try to only allow internal network segments or access through dedicated vpc lines for database ports (such as 3306, 27017).

common risks include: default ports being brute force cracked, databases being directly exposed leading to data leaks, services that have not been patched in time being exploited for vulnerability attacks, and ddos or crawler traffic overwhelming services. protective measures include:

(1) enable key authentication for management ports, disable password login, modify the default port and use port knocking or two-factor authentication; (2) use a security group whitelist to restrict source ips and cooperate with the centralized operation and maintenance audit of the bastion host; (3) deploy alibaba cloud waf, ddos advanced defense or cloud firewall to filter and clean internet traffic; (4) enable fail2ban, iptables/ufw at the host level rules limit frequent attempts; (5) only intranet access or private connection access to the database is allowed, and account complexity and encrypted transmission are enabled.

automated management can be achieved using the alibaba cloud command line (aliyuncli) or sdk. common operations include: authorizesecuritygroup (add rule), revokesecuritygroup (delete rule), describesecuritygroupattribute (view rule). example (pseudo command, only showing parameters):

aliyun ecs authorizesecuritygroup --regionid ap-southeast-1 --securitygroupid sg-xxxx --ipprotocol tcp --portrange 8080/8080 --sourcecidrip 203.0.113.4/32 --policy accept

in batch scenarios, it is recommended to first use the describe interface to export the current rules, generate a change plan (json/csv), and then perform batch authorization or revocation after verification in the test environment. pay attention to operation permission control (ram roles and policies) to avoid accidentally deleting core rules in the production environment; you can also cooperate with terraform or alibaba cloud resource orchestration (ros) for declarative management.

it is recommended that the troubleshooting steps are in order from outside to inside: ① confirm that the instance status is normal and has been bound to the public ip (if public network access is required); ② check whether the security group inbound/outbound direction rules allow the corresponding protocol and port in the alibaba cloud console; ③ check whether the vpc subnet routing table and network acl (network acl) block traffic; ④ check the operating system firewall (iptables/ufw/firewalld) and selinux in the instance settings; ⑤ confirm that the service process is listening on the target port (use ss -ltnp or netstat -lnt); ⑥ use telnet/ nc/ nmap from the outside test port connectivity, and try to access from different regions or through alibaba cloud performance monitoring to troubleshoot regional or bgp issues; 7. if there are still problems, you can capture packets (tcpdump) or check application and system logs. if necessary, enable security group logs, alibaba cloud monitoring alarms, or submit a work order to request alibaba cloud network side diagnosis.

during the investigation process, the results and time points of each step should be recorded to facilitate backtracking and recurrence. frequent connection failures should also be combined with intrusion detection and application logs to check whether there are malicious scans or attacks.