Policy groups configured on an internal firewall between ECS instances are classified
into common and enterprise policy groups.
- A common policy group takes effect on the basic security groups of ECS instances. It functions as a virtual firewall to monitor connection status and filter data packets, and can be used to isolate security domains on the cloud. You can configure access control policies to allow or deny inbound and outbound traffic between ECS instances in a common policy group.
- An enterprise policy group takes effect on the advanced security groups of ECS instances. It supports more ECS instances than a common policy group. You can configure access control policies for a large number of private IP addresses. Enterprise policy groups are ideal for enterprises that require efficient O&M on large-scale networks.
The following table lists the differences between common and enterprise policy groups.
| Feature | Common policy group | Enterprise policy group |
|---|---|---|
| VPC | Supported | Supported |
| Policy priority configuration | Supported | Not supported |
| Authorization of other policy groups | Supported | Not supported |
| Custom policy configuration to allow traffic | Supported | Supported |
| Custom policy configuration to deny traffic | Supported | Not supported (Enterprise policy groups deny all traffic by default.) |
| Number of private IP addresses | 2,000 | 65,536 |
| Communication between ECS instances in the same policy group | Not supported (You must manually create policies to allow the communication.) | Not supported (You must manually create policies to allow the communication.) |