All Products
Document Center

FAQ about security group limits

Last Updated: Apr 14, 2019

Can I adjust the maximum number of rules for a security group?

No. Each security group can have a maximum of 100 security group rules. If the current upper limit does not meet your need, we recommend that you follow these steps:

  1. Check whether redundant rules exist. You can open a ticket and allow Alibaba Cloud technical support to provide inspection services.
  2. If any redundant rules exist, clear them. If there are no such redundant rules, you can split the security group.

Note: Currently, by default every elastic network interface (ENI) in one instance can be associated with a maximum of five security groups, so up to 500 security group rules can be configured for each ENI, meeting the needs of the vast majority of scenarios.

Are the ingress and egress rules of security groups counted separately?

No. The total number of ingress and egress rules per security group together cannot exceed 100.

After the maximum number of VPC instances is changed, does the change only affect newly created security groups?

No. The change of the maximum number takes effect for all security groups. The maximum value refers to the number of private network IP addresses for all VPC instances (shared between the primary and secondary ENIs), and does not refer to the number of VPC instances. However, if you have not enabled the secondary ENI, having 2000 private IP addresses is the same as running 2000 instances.

Why does the number of security group rules exceed the maximum value when I associate an instance with a security group?

The upper limit of security groups rules for a single instance (primary ENI) = (number of security groups that an instance can be associated with) x (maximum number of rules of every security group).

The prompt message “Failed to associate the instance with the security group, because the number of security group rules has reached the upper limit” indicates that the number of security group rules that take effect on the instance has reached the upper limit. To view the total number of rules, follow these steps:

  1. Log on to the ECS console.

  2. Go to the Instances page.

  3. In the Actions column for the specified instance, choose More > Network and Security Group > Configure Security Group.


  4. On the Security Groups page, toggle the tab to view Internal Network Ingress Rules and Internal Network Egress Rules.


Reducing the maximum number of security group rules leads to threshold-crossing. Is it possible to use the security groups normally?

Existing security groups will not be affected. Example:

Each instance can be associated with five security groups. Each security group can have up to 100 rules, and security group A already has 51 rules. Afterwards, you adjust the configuration so that every instance can be associated with 10 security groups and each security group can have at most 50 rules.

In this case, security group A can still work properly. However, if you attempt to add a rule to security group A, the system will prompt you that the number of rules for security group A has reached the upper limit.