Compared with basic security groups, advanced security groups can contain more ECS instances, elastic network interfaces (ENIs), and private IP addresses. Advanced security groups can be used only in virtual private clouds (VPCs) and are easy to use because of their simplified configuration policies for security group rules. They are suitable for scenarios that require for high O&M efficiency, multiple ECS instance types, and large-scale computing clusters.

Feature comparison

The following table compares the features of basic and advanced security groups. For more information about basic security groups, see Security group overview.

Feature Basic security group Advanced security group
Support all instance types Yes Support only IPv6-compatible instance types.
Support VPCs Yes Yes
Support classic networks Yes No
Set rule priorities Yes No
Authorize other security groups to access the security group Yes No
Manually set security group rules that allow access from other security groups Yes Yes
Manually set Deny security group rules Yes No. Advanced security groups deny all access requests by default.
Bind ENIs to instances of any instance type Yes. The instance must be VPC-network type. ENIs can only be bound to instances of IPv6-compatible instance types.
Number of contained private IP addresses 2,000 65,536
Allow mutual access between ECS instances in the same security group by default Yes No. You need to add security group rules to allow mutual access between ECS instances in the same security group.

Limits

For the limits and quotas of advanced security groups, see the "Security group limits" section in Limits.

In addition to the preceding limits, ECS instances must also meet the following requirements before they can be added to advanced security groups:

  • The ECS instances must be created on or after May 30, 2019.
  • The ECS instance types must support IPv6. For more information, see Instance families.
  • ECS instances and ENIs have the following requirements for their security group types:
    • An ECS instance cannot belong to both a basic security group and an advanced security group at the same time.
    • An ENI cannot belong to both a basic security group and an advanced security group at the same time.
    • An ENI can be bound to an ECS instance only when they belong to the same security group type.

Console operations

In the ECS console, you can perform the following operations to use advanced security groups:
  1. Create an advanced security group.

    When you create a security group, select Advanced Security Group for Security Group Type. For more information, see Create a security group.

  2. Add security group rules.

    An advanced security group is equivalent to an access whitelist. Only rules that allow access from other security groups can be added and authorization objects can only be CIDR blocks but not security groups. These rules have no priorities. For more information, see Add security group rules.

  3. Add your ECS instances or ENIs to the advanced security group as needed.
    • For more information about how to add instances to a security group, see Add an ECS instances to a security group.
      Note An ECS instance cannot belong to both a basic security group and an advanced security group at the same time.
    • Perform the following steps to use an ENI in the advanced security group:
      1. If the ENI is in a basic security group, modify the ENI to add it to the advanced security group,

        For more information, see Modify an ENI.

      2. Bind the ENI to an ECS instance.

        For more information, see Attach an ENI.

  4. (Optional) Manage the advanced security group. For example, you can add a tag, modify the name and description of the advanced security group, and manage the ECS instances in the advanced security group. For more information, see

API operations

  1. Call the CreateSecurityGroup operation and set SecurityGroupType to enterprise.

    Before you create an advanced security group, make sure that a VPC and a VSwitch have been created.

  2. Call the AuthorizeSecurityGroup operation to add a rule which allows inbound traffic to the advanced security group. The authorization objects can only be CIDR blocks but not security groups.

    An advanced security group is equivalent to a communication whitelist. Policy is set to accept by default. You can leave Priority blank and specify the communication protocol (IpProtocol), communication port range (PortRange), source communication port range (SourcePortRange) (optional), source CIDR block (SourceCidrIp), and CIDR block of destination port (DestCiderIp) (optional).

  3. Call the AuthorizeSecurityGroupEgress operation to add an outbound rule to the advanced security group.
  4. Call the JoinSecurityGroup operation to add a VPC-type ECS instance to the advanced security group.
  5. Perform the following steps to use an ENI in the advanced security group:
    1. If the ENI is in a basic security group, call the ModifyNetworkInterfaceAttribute operation to add the ENI to the advanced security group.
    2. Call the AttachNetworkInterface operation to attach the ENI that has been added to the advanced security group to an ECS instance.
  6. (Optional) Call the DescribeSecurityGroups operation to query the list of the security groups you have created in the current region.