Compared with basic security groups, advanced security groups can contain more ECS instances and ENIs, and can manage unlimited private IP addresses. Advanced security groups are applicable to VPC networks, and have a simplified rule adding mechanism. Advanced security groups can be used in scenarios that have higher requirements for O&M efficiency, ECS instance specifications, and computing nodes.
Feature comparison
Because you cannot add ECS instances or ENIs to both basic and advanced security groups, we recommend that you learn about the functional differences between the two security group types before planning your network environment. For more information about basic security groups, see Security group overview.
| Item | Basic security group | Advanced security group |
|---|---|---|
| Supports all instance types? | Yes | No. Only supports instances that support IPv6. |
| Supports VPCs? | Yes | Yes |
| Supports classic networks? | Yes | No |
| Rule priority available? | Yes | No |
| Access permissions granted to other security groups? | Yes | No |
| Manual setting of allow security group rules? | Yes | Yes |
| Manual setting of deny security group rules? | Yes | No. All access requests are denied for advanced security groups by default. |
| Number of ENIs supported | Limited by the number of ECS instances in the security group | 50,000 |
| ENIs bound to any instance type? | Yes. The instance network type must be VPC. | No. ENIs can only be bound to instance types that support IPv6. |
| Number of private IP addresses | 2,000 | No limit |
Limits
- You cannot add ECS instances created before May 30, 2019 to advanced security groups.
- You can add only instance types that support IPv6 to advanced security groups. For more information, see Instance type families.
- ECS instances and ENIs have the following requirements on security group types:
- An ECS instance cannot be added to both a basic security group and an advanced security group.
- An ENI cannot be added to both a basic security group and an advanced security group.
- When an ENI is bound to an ECS instance, they must belong to the same security group type.
Console operations
In the ECS console, you can use advanced security groups as follows:
- Create an advanced security group. Set Security Group Type to Advanced Security Group.
- Add an allow rule to the advanced security group.
An advanced security group is equivalent to a communication whitelist. Only allow rules can be created and no priority values can be set for rules. Authorization objects must be CIDR blocks instead of security groups.
- Add an ECS instance that supports IPv6 to an advanced security group. An ECS instance cannot be added to both a basic security group and an advanced security group.
- Perform the following steps to use an ENI in an advanced security group:
- If an ENI is already in a basic security group, you can Modify an ENI to add the ENI to an advanced security group.
- Bind the ENI to an ECS instance.
- (Optional) Manage an advanced security group. For example, you can add a tag, modify the name and description, and manage ECS instances in the advanced security group.
API operations
- Call CreateSecurityGroup and set SecurityGroupType to enterprise.
Before creating a security group, confirm that a VPC and a VSwitch have been created.
- Call AuthorizeSecurityGroup to add a rule which allows inbound traffic to the advanced security group. Authorization
objects must be CIDR blocks instead of security groups.
An advanced security group is equivalent to a communication whitelist. Policy is set to accept by default. You can leave Priority blank, but you must specify IpProtocol, PortRange, SourcePortRange (optional), SourceCidrIp, and DestCiderIp.
- Call AuthorizeSecurityGroupEgress to add an outbound rule to the advanced security group.
- Call JoinSecurityGroup to add a VPC-type ECS instance to the advanced security group.
- Perform the following steps to use an ENI in an advanced security group:
- Call ModifyNetworkInterfaceAttribute to add an ENI to an advanced security group, if the ENI is already in a basic security group.
- Call AttachNetworkInterface to attach an ENI that has been added to an advanced security group to an ECS instance.
- (Optional) Call DescribeSecurityGroups to view the list of security groups you have created in the current region.