Policy groups configured on an internal firewall between ECS instances are classified
into common and enterprise policy groups.
- A common policy group takes effect on basic security groups of ECS instances. It functions as a virtual firewall to detect connection status and filter data packets and can be used to divide security zones on the cloud. You can configure access control policies to allow or deny inbound and outbound traffic between ECS instances in a common policy group.
- An enterprise policy group takes effect on advanced security groups of ECS instances. It supports more ECS instances than a common policy group. You can configure access control policies for a large number of private IP addresses. Enterprise policy groups are ideal for enterprises that require efficient O&M on large-scale networks.
The following table lists the differences between common and enterprise policy groups.
| Feature | Common policy group | Enterprise policy group |
|---|---|---|
| VPC | Supported | Supported |
| Policy priority | Supported | Not supported |
| Authorization of other policy groups | Supported | Not supported |
| Custom allow policy | Supported | Supported |
| Custom deny policy | Supported | Not supported (Enterprise policy groups deny all traffic by default.) |
| Number of private IP addresses | 2,000 | 65,536 |
| Communication between ECS instances in the same policy group | Supported | Not supported (You must manually add policies to allow the communication.) |