Compared with basic security groups, advanced security groups can contain more ECS instances, elastic network interfaces (ENIs), and private IP addresses. Advanced security groups also simplify the configuration policies of security group rules. Advanced security groups can be used in scenarios that have higher requirements for O&M efficiency, ECS instance specifications, and compute nodes.

Comparison of features

The following table compares the features of basic and advanced security groups. For more information about basic security groups, see Overview.

Feature Basic security group Advanced security group
Supports all instance types Yes. No. The instance must be of the VPC type.
Supports VPCs Yes. Yes.
Supports the classic network Yes. No.
Allows you to configure rule priorities Yes. No.
Allows access from other security groups Yes. No.
Allows you to manually set security group rules that allow access from other security groups Yes. Yes.
Allows you to manually set Deny security group rules Yes. No. Advanced security groups deny all access requests by default.
Access policy when no rules are added
  • Inbound: denies all access requests.
  • Outbound: allows all access requests.
  • Inbound: denies all access requests.
  • Outbound: denies all access requests.
Allows you to bind ENIs to instances of any instance type No. The instance must be of the VPC type. No. The instance must be of the VPC type.
Maximum allowable number of private IP addresses 2,000. 65,536.
Allows mutual access between ECS instances within the same security group by default Yes. No. To allow mutual access between ECS instances in the same security group, you must add security group rules.

Billing

You are not charged extra fees when you use advanced security groups.

Limits

For the limits and quotas of advanced security groups, see the "Security group limits" section in Limits.

In addition to the preceding limits, ECS instances must also meet the following requirements before they can be added to advanced security groups:

  • The network type of ECS instances must be VPC.
  • ECS instances and ENIs have the following requirements for their security group types:
    • The primary ENI of an instance cannot belong to both a basic and an advanced security group at the same time.
    • A secondary ENI cannot belong to both a basic and an advanced security group at the same time.

Workflow

You can perform the steps in the following workflows to use advanced security groups.
  • Use advanced security groups to manage instancesWorkflow - instances
  • Use advanced security groups to manage ENIsWorkflow - ENIs
Notice When you create an advanced security group by using the ECS console or by calling an API operation, you can configure outbound rules by adhering to the following guidelines:
  • When you create the security group by using the ECS console, a security group rule is automatically added to allow all outbound traffic. We recommend that you keep the default setting to avoid network connectivity issues.
  • When you create the security group by calling the API operation, no security group rules are added. All outbound traffic is denied by default. We recommend that you manually add security group rules.

Procedure in the console

The following table lists the operations that you can perform in the ECS console to manage advanced security groups.
Operation in the ECS console Description Reference
Create an advanced security group When you create an advanced security group, set Security Group Type to Advanced Security Group. Create a security group
Add a security group rule An advanced security group is equivalent to an access whitelist. Only rules that allow access from other security groups can be added, and authorization objects can only be CIDR blocks. These rules have no priorities. Add security group rules
Add an ECS instance to an advanced security group The ECS instance cannot belong to both a basic and an advanced security group at the same time. If the instance belongs to a basic security group, you can replace the basic security group with an advanced security group.
Add an ENI to an advanced security group If the ENI belongs to a basic security group, you can modify the ENI to add it to an advanced security group. Modify an ENI
Bind an ENI to an ECS instance After the ENI is bound to the instance, the security group rules immediately take effect. Attach an ENI
Manage advanced security groups The operations include adding tags, modifying names and descriptions, and managing instances in the advanced security groups.
Manage rules for advanced security groups You can modify security group rules during application operation based on your actual needs.

API operations

The following table lists the API operations that you can use to manage advanced security groups.
API Description
CreateSecurityGroup When you call this operation, set the SecurityGroupType request parameter to enterprise.
Note Before you create an advanced security group, make sure that a VPC and a VSwitch are available.
AuthorizeSecurityGroup You can call this operation to add a rule that allows inbound traffic to the advanced security group. Authorization objects can only be CIDR blocks.
An advanced security group is equivalent to an access whitelist. You can use the following parameters to configure security group rules:
  • Policy: This parameter is set to accept by default.
  • Priority: This parameter is not required.
  • IpProtocol: This parameter is required.
  • PortRange: This parameter specifies the range of ports.
  • SourcePortRange: Optional. This parameter specifies the range of source ports.
  • SourceCidrIp: This parameter specifies the range of source IP addresses.
  • DestCiderIp: Optional. This parameter specifies the range of destination IP addresses.
AuthorizeSecurityGroupEgress You can call this operation to add an outbound rule to an advanced security group.
Note We recommend that you add a security group rule to allow all outbound traffic.
JoinSecurityGroup You can call this operation to add a VPC-type instance to an advanced security group.
ModifyInstanceAttribute If an instance belongs to a basic security group, you can call the ModifyInstanceAttribute operation to replace the security group with an advanced security group.
Note When you switch an ECS instance to a security group of a different type, you must understand the differences between the rule configurations of the two security group types to avoid affecting the instance network.
ModifyNetworkInterfaceAttribute If an ENI belongs to a basic security group, you can call the ModifyNetworkInterfaceAttribute operation to add the ENI to an advanced security group.
AttachNetworkInterface You can call this operation to bind the ENI that has been added to an advanced security group to an ECS instance.
DescribeSecurityGroups You can call this operation to query the advanced security groups within the current region.