A security group is a distributed, stateful virtual firewall packet filtering that provides network identity and access management to an instance to control the traffic to one or more instances.
When an instance is created, it can be associated with corresponding security group. You can add instances with the same requirements for network security isolation in the same region to the same security group. Configure security group policy to perform security filtering on the inbound and outbound traffic of an instance.
To create a security group is to enforce an All drop rule for all inlet/ outlet traffic by default; you can add or delete rules for a security group at any time, and the new rules will be automatically applied to all instances associated with that security group.
You can create 50 security groups under each VPC in each region. At most 100 rules can be added for each security group in both directions to meet your requirement for network security isolation.
Each network interface corresponding to each instance must be bound to at least one security group and it can be associated to up to 5 security groups to achieve precise control for instance access traffic.
The console currently provides three default security group templates:
|Security Group||Network ACL|
|Effective at Instance (Network Interface) Level||Effective at Subnet Level|
|Only Support Allowed Rules||Support Allowed and Denied Rules|
|Apply to all associated instances||Automatically apply to all instances within the subnet|