Comparison of basic and advanced security groups - Elastic Compute Service

Basic and advanced security groups differ in IP capacity, group-based authorization, and default access control rules.

Note

When you associate an ECS instance or an elastic network interface with multiple security groups, all groups must be of the same type. You cannot mix basic and advanced security groups on a single resource.

Private IP address capacity

When you associate resources such as ECS instances, elastic network interfaces, or ECI instances with a security group, their private IP addresses count toward the group's capacity.

The following table compares the two types.

Security group type	Private IP capacity
Basic security group	VPC: 6,000 Note Capacity usage is the total number of private IP addresses on all associated ENIs (primary and secondary), including primary private IPv4, IPv6, secondary private IPv4, IPv4 prefixes, and IPv6 prefixes. If you need more than 6,000 private IP addresses to communicate over the internal network, assign the ECS instances to multiple security groups and add rules that authorize mutual access. View the maximum private IP address count for a basic security group in a VPC in Quota Center with quota ID `q_vpc-normal-security-group-ip-count`.
Advanced security group	VPC: 65,536 Note Capacity usage is based on the total number of ENIs (primary and secondary) associated with the security group.

An advanced security group supports more resources than a basic security group in a VPC. Use an advanced security group for large clusters that exceed the basic group's IP capacity.

You can view the IP address usage of a security group in the ECS console or by calling an API operation.

Group-based authorization

A security group rule can authorize access to or from another security group by referencing its ID.

Security group type	Authorization by group	Description
Basic security group	Yes	Rules can authorize other basic security groups, up to 20 such rules. See Security group limits.
Advanced security group	No	Rules cannot use a security group as the authorization object. An advanced security group also cannot serve as an authorization object in other groups' rules.

Internal interconnectivity

In a basic security group, instances in the same group can access each other over the internal network by default. You can change this by modifying the internal access policy. In an advanced security group, instances are isolated by default, and this policy cannot be changed.

Security group type	Internal access policy
Basic security group	Configurable. Default: Internal Interconnectivity. Note To restrict communication between instances, modify the internal access policy in the ECS console. See Modify the internal access policy of a basic security group.
Advanced security group	Not configurable. Fixed: Internal Isolation.

Default access control rules

Basic and advanced security groups apply different default access control rules. For basic security groups, the internal access policy determines the default inbound rules. These invisible default rules combine with your custom rules to control traffic.

Note

In the following tables, rules are evaluated in descending priority order (1, 2, 3...).

Basic security group

Internal interconnectivity

Inbound

With internal interconnectivity, traffic from other instances in the same group is allowed by default (Priority 1), overriding custom rules. Traffic matching a custom rule is allowed or denied per the rule's action (Priority 2). All other traffic is denied (Priority 3).

Priority	Rule type	Traffic type	Action
1	Default access control rule (invisible)	Traffic from other ECS instances in the same security group	Allow
2	Custom rule	Traffic that matches a custom rule	Allow or Deny (depending on the rule's action)
3	Default access control rule (invisible)	All other traffic	Deny

Outbound

Traffic matching a custom rule is allowed or denied per the rule's action (Priority 1). All other outbound traffic is allowed by default (Priority 2).

Priority	Rule type	Traffic type	Action
1	Custom rule	Traffic that matches a custom rule	Allow or Deny (depending on the rule's action)
2	Default access control rule (invisible)	All other traffic	Allow

Internal isolation

Inbound

With internal isolation, inbound traffic matching a custom rule is allowed or denied per the rule's action (Priority 1). All other inbound traffic is denied (Priority 2).

Priority	Rule type	Traffic type	Action
1	Custom rule	Traffic that matches a custom rule	Allow or Deny (depending on the rule's action)
2	Default access control rule (invisible)	All other traffic	Deny

Outbound:

Outbound rules are the same as under internal interconnectivity.

Priority	Rule type	Traffic type	Action
1	Custom rule	Traffic that matches a custom rule	Allow or Deny (depending on the rule's action)
2	Default access control rule (invisible)	All other traffic	Allow

The internal access policy affects default inbound rules for a basic security group. With internal interconnectivity, traffic from other instances in the same group is allowed by default. As a best practice, set the policy to internal isolation if instances do not need to communicate with each other.

Advanced security group

Inbound:

Inbound traffic matching a custom rule is allowed or denied per the rule's action (Priority 1). All other inbound traffic is denied by default (Priority 2).

Priority	Rule type	Traffic type	Action
1	Custom rule	Traffic that matches a custom rule	Allow or Deny (depending on the rule's action)
2	Default access control rule (invisible)	All other traffic	Deny

Outbound:

Outbound traffic matching a custom rule is allowed or denied per the rule's action (Priority 1). All other outbound traffic is denied by default (Priority 2).

Priority	Rule type	Traffic type	Action
1	Custom rule	Traffic that matches a custom rule	Allow or Deny (depending on the rule's action)
2	Default access control rule (invisible)	All other traffic	Deny