All Products
Search
Document Center

Elastic Compute Service:Basic security groups and advanced security groups

Last Updated:Oct 31, 2023

Security groups are classified into basic security groups and advanced security groups. Basic security groups and advanced security groups are provided free of charge. Basic security groups and advanced security groups are suitable for different usage scenarios and differ in the following aspects: capacity, default access control rules, and support for rules that reference security groups.

Security group capacity

The capacity of a security group is measured based on the number of private IP addresses. When you associate resources with a security group, the private IP addresses of the resources consume the capacity of the security group. You can associate Elastic Compute Service (ECS) instances, elastic network interfaces (ENIs), and elastic container instances with security groups. Take note that a single resource may have one or more private IP addresses.

Advanced security groups can contain more private IP addresses than basic security groups. If the number of private IP addresses in a cluster exceeds the capacity of a basic security group, we recommend that you use an advanced security group for the cluster. The following table describes the comparison between the capacities of basic security groups and advanced security groups.

Item

Basic security group

Advanced security group

Number of private IP addresses that can be contained in a security group in a virtual private cloud (VPC)

2,000. You can apply to increase this limit to 6,000.

Note

You can go to the Quota Center and find The maximum number of private IP addresses in the general security group of the VPC quota to request a quota increase. For more information, see Request a quota increase.

65,536

Number of private IP addresses that can be contained in a security group in the classic network

1,000

Advanced security groups do not support the classic network.

Support for rules that reference security groups

A security group rule can reference the ID of a security group as an authorization object (source or destination) to control traffic for the resources that are associated with the security group.

  • You can create rules that reference security groups in basic security groups. Each basic security group can contain up to 20 rules that reference security groups. For more information, see the "Security group limits" section in Limits.

  • You cannot create rules that reference security groups in advanced security groups, or reference advanced security groups in rules of security groups.

Basic security groups support the internal interconnectivity (Allow) policy that allows ECS instances in a basic security group to access each other over the internal network. The internal interconnectivity policy is the default internal access control policy of basic security groups. The internal interconnectivity policy of a basic security group can be considered as a special rule that references the security group. Advanced security groups support the internal isolation (Deny) policy that isolates ECS instances in an advanced security group from each other. You cannot change the internal access control policy of advanced security groups from the internal isolation policy to the internal interconnectivity policy.

Default access control rules

Basic security groups and advanced security groups use different default access control rules. The internal access control policy of a basic security group affects the default access control rules of the security group. The default access control rules of security groups are invisible and work with custom security group rules to control traffic for associated resources.

Note

The serial numbers in the following sections indicate the order of rules. Rules are processed in ascending order of serial number. Processing continues until a rule is matched.

Basic security groups that use the internal interconnectivity policy

  • Inbound direction: The following table describes how default access control rules and custom security group rules in a basic security group that uses the internal interconnectivity policy are applied to control inbound traffic. Traffic that is transmitted between ECS instances in the basic security group over the internal network matches a default access control rule (Rule 1) and is allowed regardless of custom security group rules. If inbound traffic does not match Rule 1 but matches one or more custom security group rules (Rules 2), the traffic is allowed or denied based on the action in a custom security group rule. Other inbound traffic matches another default access control rule (Rule 3) and is denied.

    Serial number

    Rule type

    Traffic type

    Action

    1

    Default access control rule

    Traffic that is transmitted between ECS instances in the basic security group over the internal network

    Allow

    2

    Custom security group rule

    Traffic that is not transmitted between ECS instances in basic security group over the internal network and matches one or more custom security group rules

    Allow or deny based on the action in a custom security group rule

    3

    Default access control rule

    Other traffic

    Deny

  • Outbound direction: The following table describes how default access control rules and custom security group rules in a basic security group that uses the internal interconnectivity policy are applied to control outbound traffic. Outbound traffic that matches one or more custom security group rules (Rules 1) in the basic security group is allowed or denied based on the action in a custom security group rule. Other outbound traffic matches the default access control rule (Rule 2) and is allowed.

    Serial number

    Rule type

    Traffic type

    Action

    1

    Custom security group rule

    Traffic that matches one or more custom security group rules

    Allow or deny based on the action in a custom security group rule

    2

    Default access control rule

    Other traffic

    Allow

Basic security groups that use the internal isolation policy

  • Inbound direction: The following table describes how default access control rules and custom security group rules in a basic security group that uses the internal isolation policy are applied to control inbound traffic. By default, traffic that is transmitted between ECS instances in the basic security group is not allowed. If inbound traffic matches one or more custom security group rules (Rules 1), the traffic is allowed or denied based on the action in a custom security group rule. Other inbound traffic matches the default access control rule (Rule 2) and is denied.

    Serial number

    Rule type

    Traffic type

    Action

    1

    Custom security group rule

    Traffic that matches one or more custom security group rules

    Allow or deny based on the action in a custom security group rule

    2

    Default access control rule

    Other traffic

    Deny

  • Outbound direction: Rules in basic security groups are applied in the same manner to control outbound traffic regardless of whether the basic security groups use the internal interconnectivity policy or the internal isolation policy.

    Serial number

    Rule type

    Traffic type

    Action

    1

    Custom security group rule

    Traffic that matches one or more custom security group rules

    Allow or deny based on the action in a custom security group rule

    2

    Default access control rule

    Other traffic

    Allow

    The internal access control policy of a basic security group affects the default access control rules of the security group. When a basic security group uses the internal interconnectivity policy, traffic that is transmitted between ECS instances in the security group over the internal network is allowed. If ECS instances in a basic security group do not need to access each other over the internal network, we recommend that you configure the internal isolation policy as the internal access control policy for the security group based on the principle of least privilege. For more information, see Modify the internal access control policy of a security group.

Advanced security groups

  • Inbound direction: The following table describes how default access control rules and custom security group rules in an advanced security group are applied to control inbound traffic. Inbound traffic that matches one or more custom security group rules (Rules 1) in the advanced security group is allowed or denied based on the action in a custom security group rule. Other inbound traffic matches the default access control rule (Rule 2) and is denied.

    Serial number

    Rule type

    Traffic type

    Action

    1

    Custom security group rule

    Traffic that matches one or more custom security group rules

    Allow or deny based on the action in a custom security group rule

    2

    Default access control rule

    Other traffic

    Deny

  • Outbound direction: The following table describes how default access control rules and custom security group rules in an advanced security group are applied to control outbound traffic. Outbound traffic that matches one or more custom security group rules (Rules 1) in the advanced security group is allowed or denied based on the action in a custom security group rule. Other outbound traffic matches the default access control rule (Rule 2) and is denied.

    Serial number

    Rule type

    Traffic type

    Action

    1

    Custom security group rule

    Traffic that matches one or more custom security group rules

    Allow or deny based on the action in a custom security group rule

    2

    Default access control rule

    Other traffic

    Deny

Types of security groups with which ECS instances can be associated

When you associated an ECS instance with multiple security groups, the security groups can only be of the same type: basic security group or advanced security group. You cannot associate an ENI on an ECS instance with both basic security groups and advanced security groups.

Other information

  • Advance security groups support only the VPC network type and do not support the classic network type. Basic security groups support the VPC network type and classic network type.

  • You can create Allow security group rules or Forbid (Deny) security group rules in basic and advanced security groups and configure priorities for the rules.