A security group is a virtual firewall that provides Stateful Packet Inspection (SPI) and packet filtering. Security groups are used to set network access control for one or more ECS instances. Specifically, security groups isolate security domains on the cloud.

A security group is a logical group that contains instances with the same security requirements and mutual trust within the same region. Each instance belongs to at least one security group, which must be specified during instance creation. Instances in the same security group can communicate through the intranet, but instances in different security groups are isolated from each other by default. However, mutual access between two security groups can be authorized.

Security group restrictions

  • By default, each account can create a maximum of 100 security groups in a region. This restriction can increase according to your membership level. To raise the upper limit, you can open a ticket.

  • Each Elastic Network Interface (ENI) of an instance can join up to five security groups by default. You can open a ticket to raise the upper limit to a maximum of 10 or 16.

  • You can choose either of the two network types for security groups: classic network and Virtual Private Cloud (VPC).

    • Classic network instances can join security groups of classic networks in the same region.

      A single security group on a classic network cannot contain more than 1,000 instances. If more than 1,000 instances need to access each other over the intranet, you can allocate them to different security groups and authorize mutual access among the security groups.

    • VPC instances can join security groups on the same VPC.

      A single security group on a VPC cannot contain more than 2,000 private IP addresses (shared by the primary and secondary ENIs). If more than 2,000 private IP addresses need to access each other over the intranet, you can allocate the relevant instances to different security groups and authorize mutual access among the security groups.

  • Adjusting security groups will not affect the continuity of your service.

  • If an outbound packet is permitted, inbound packets over this connection are also permitted.

For more information, see FAQ about security group limits.

Overview of security group rules

For ECS instances in a security group, you can set security group rules to permit or forbid inbound and outbound access over the Internet or intranet.

You can create or delete security group rules at any time. Once changes are made, the updated security group rules are automatically applied to ECS instances in the security group.

When setting security group rules, make sure they are concise. If you add an ECS instance to multiple security groups, hundreds of rules may apply to the instance, which may cause connection errors when you access the instance.

Restrictions on security group rules

Maximum number of security group rules per ENI = number of security groups that the subject instance can join × maximum number of rules per security group.

Each ENI of an instance can have a maximum of 500 security group rules. Where:

  • Each instance can join up to five security groups by default.

    You can open a ticket to raise the limit to 10 or 16. However, raising the number of security groups lowers the number of rules permitted in one security group.

  • Each security group can have a maximum of 100 security group rules, including both inbound and outbound rules.

    The number of rules per security group can be 100, 50, or 30, depending on the quota of security groups. The number of rules per security group varies according to the number of security groups that an ENI can join. However, the total number cannot exceed 100 collectively (that is, the inbound and outbound rules are not counted separately).

The following table shows how the number of rules varies according to the number of security groups.

Number of security groups Max. number of rules
5 (default value) 100
10 (you need to open a ticket) 50
16 (you need to open a ticket) 30
Examples

By default, an ENI can join up to five security groups, each of which has a maximum of 100 rules.

If each ENI is allowed to join 10 security groups, each security group can have a maximum of 50 rules. This is because for each instance, the total number of security group rules cannot be greater than 500.

If you want more security groups and less rules per group for one instance, you can open a ticket to lower the upper limit.