Security groups come in two types: basic security groups and advanced security groups. Both types are free of charge. They differ in aspects such as capacity, whether rules can authorize other security groups, and default access control rules. These differences make them suitable for different use cases. This topic describes their features and differences.
When you associate an ECS instance or an elastic network interface with multiple security groups, the security groups must all be of the same type. You cannot associate a resource with both basic and advanced security groups.
Private IP address capacity per security group
When you associate resources such as ECS instances, elastic network interfaces, or ECI instances with a security group, their private IP addresses count towards the group's capacity. A single resource can have one or more private IP addresses.
The following table compares their capacities.
Security group type | Private IP capacity |
basic security group | VPC: 6,000 Note
|
advanced security group | VPC: 65,536 Note Capacity usage is based on the total number of elastic network interfaces (including primary and secondary ENIs) associated with the security group. |
In a VPC, an advanced security group can hold more resources than a basic security group. For large clusters where a basic security group's IP address capacity is insufficient, use an advanced security group.
You can view the IP address usage of a security group in the console or by calling an API operation.
Security groups as authorization objects
You can add a security group rule that authorizes access to or from another security group by referencing its ID.
Security group type | Authorization by group | Description |
basic security group | Yes | You can add rules that authorize other basic security groups. You can add a maximum of 20 such rules. For more information, see Security group limits. |
advanced security group | No | You cannot add rules that use a security group as the authorization object, nor can you use an advanced security group as an authorization object in the rules of another security group. |
Internal interconnectivity
The internal interconnectivity feature of a basic security group allows network access between ECS instances in the same group. You can enable or disable this feature by modifying the group's internal access policy. In an advanced security group, instances are isolated by default, and this policy cannot be changed.
Security group type | Internal access policy |
basic security group | Yes. By default, the policy is internal interconnectivity. Note If you need to restrict network communication between ECS instances for security reasons, you can modify the internal access policy of the basic security group in the ECS console. For more information, see Modify the internal access policy of a basic security group. |
advanced security group | No. By default, the policy is internal isolation. |
Default access control rules
Basic and advanced security groups have different default access control rules. For basic security groups, the internal access policy affects its default access control rules. These invisible default rules work with your custom security group rules to control traffic.
In the following tables, rules are evaluated in descending order of priority (1, 2, 3...).
Basic security group
Internal interconnectivity
Inbound
When a basic security group's policy is set to internal interconnectivity, traffic from other ECS instances within the same security group is allowed by default (Priority 1), overriding your custom rules. Other traffic that matches a custom rule is allowed or denied depending on the rule's action (Priority 2). All other traffic is denied (Priority 3).
Priority
Rule type
Traffic type
Action
1
Default access control rule (invisible)
Traffic from other ECS instances in the same security group
Allow
2
Custom rule
Traffic that matches a custom rule
Allow or Deny (depending on the rule's action)
3
Default access control rule (invisible)
All other traffic
Deny
Outbound
For outbound traffic from a basic security group, traffic that matches a custom rule is allowed or denied depending on the rule's action (Priority 1). All other outbound traffic is allowed by default (Priority 2).
Priority
Rule type
Traffic type
Action
1
Custom rule
Traffic that matches a custom rule
Allow or Deny (depending on the rule's action)
2
Default access control rule (invisible)
All other traffic
Allow
Internal isolation
Inbound
When a basic security group's policy is set to internal isolation, traffic from other ECS instances in the same group is no longer allowed by default. Inbound traffic that matches a custom rule is allowed or denied depending on the rule's action (Priority 1). All other inbound traffic is denied (Priority 2).
Priority
Rule type
Traffic type
Action
1
Custom rule
Traffic that matches a custom rule
Allow or Deny (depending on the rule's action)
2
Default access control rule (invisible)
All other traffic
Deny
Outbound:
The behavior is the same as when the policy is set to internal interconnectivity.
Priority
Rule type
Traffic type
Action
1
Custom rule
Traffic that matches a custom rule
Allow or Deny (depending on the rule's action)
2
Default access control rule (invisible)
All other traffic
Allow
The internal access policy affects the default inbound rules for a basic security group. When the policy is set to internal interconnectivity, traffic from other ECS instances in the same group is allowed by default. As a best practice, follow the principle of least privilege. If instances within a basic security group do not need to communicate with each other, set the policy to internal isolation.
Advanced security group
Inbound:
For an advanced security group, inbound traffic that matches a custom rule is allowed or denied depending on that rule's action (Priority 1). All other inbound traffic is denied by default (Priority 2).
Priority
Rule type
Traffic type
Action
1
Custom rule
Traffic that matches a custom rule
Allow or Deny (depending on the rule's action)
2
Default access control rule (invisible)
All other traffic
Deny
Outbound:
For an advanced security group, outbound traffic that matches a custom rule is allowed or denied depending on that rule's action (Priority 1). All other outbound traffic is denied by default (Priority 2).
Priority
Rule type
Traffic type
Action
1
Custom rule
Traffic that matches a custom rule
Allow or Deny (depending on the rule's action)
2
默认访问控制规则(不可见)
All other traffic
Deny