Security groups

Security group restrictions

• A single security group cannot contain more than 1,000 instances. If you require intranet mutual access between more than 1,000 instances, you can allocate them to different security groups and authorize mutual access.
• Each instance can join up to five security groups by default. You can open a ticket to raise the upper limit to a maximum of 16.
• There a maximum limit for the number of security groups you can have for a region. The limit depends on your level of experience with Alibaba Cloud. For new users, the limit is 100 security groups. For more experienced users, the limit is higher.
• Adjusting security groups will not affect the continuity of user service.
• Security groups are stateful. If an outbound packet is permitted, inbound packets corresponding to this connection will also be permitted.
• Security groups have two network types: classic network and Virtual Private Cloud (VPC).
  • Classic network instances can join security groups on classic networks in the same region.
  • VPC instances can join security groups on the same VPC.

Security group rules

Security group rules can be set that permit or forbid ECS instances in a security group from accessing a public network or intranet in the inbound and outbound directions.

You can create or delete security group rules at any time. Once changes are made, the updated security group rules are automatically applied to ECS instances in the security group.

When setting security group rules, make sure they are concise. If you add an ECS instance to multiple security groups, hundreds of rules may apply to the instance, which may cause connection errors when you access the instance.

Security group rule restrictions

Each security group can have a maximum of 100 security group rules.