You can clone a security group across regions and network types.


The following scenarios detail examples as to when you may need to clone a security group:

  • You have created a security group, named SG1, in Region A, and you want to apply the same rules of SG1 to ECS instances in Region B.  To do so, you can clone SG1 to Region B without creating a new security group in Region B.
  • You have a security group in the classic network, named SG2. You want to apply the rules of SG2 to instances in a VPC. To do so, you can clone SG2 and choose VPC as the network type when configuring the cloning. Then, in the VPC network, you will have a new security group that has the same rules as SG2.
  • If you want to apply new security group rules to an ECS instance that are running an online business application, we recommend that you clone the security group as a backup before modifying the rules. If the new security group rules are disadvantageous to the online business application, you can restore the rules completely or partly.


If you want to change the network type of a security group from Classic to VPC, you have to create a VPC and VSwitch in the target region first.


  1. Log on to the ECS console.
  2. In the left-side navigation pane, select Networks and Security > Security Groups.
  3. Select the target region.
  4. Find the target security group and then, in the Actions column, click Clone Security Group.
  5. In the Clone Security Group dialog box, set the new security group information:
    • Target Region: Select a region suitable for the new security group. Note that only supported regions are displayed in the drop-down list.
    • Security Group Name: Specify a new name for the new security group.
    • Network Type: Select a network type suitable for the new security group. If VPC is selected, you must select a VPC in the drop-down list.

  6. Click OK.

After successful creation, the Clone Security Group dialog box closes automatically. The new security group is displayed on the Security Groups page.