Which Security Group Rule Has a High Priority When Multiple Security Group Rules Conflict?
An instance can have multiple security groups associated, and a security group can contain multiple security group rules. Security group rules are matched first by priority and then by action. Deny rules take precedence over allow rules. The following takes inbound traffic as an example to match security group rules:
- First, traffic is matched based on the sequence number of security groups. You can adjust the security group sequence. A smaller security group sequence number indicates a higher priority.
If the sequence number of security group A is 1 and that of security group B is 2, the priority of security group A is higher than that of security group B. Traffic preferentially matches the inbound rules of security group A.
- Second, traffic is matched based on the priorities and actions of security group rules.
- Security group rules are matched by priority first. A smaller value indicates a higher priority.
If the priority of security group rule A is 1 and that of security group rule B is 2, the priority of security group rule A is higher than that of security group rule B. Therefore, traffic preferentially matches security group rule A.
- Deny rules take precedence over allow rules of the same priority.
- Security group rules are matched by priority first. A smaller value indicates a higher priority.
- Traffic matches all inbound rules of a security group based on the protocol, ports and source.
- If the traffic matches a rule:
- With Action of Allow, the traffic is allowed to access the instances in the security group.
- With Action of Deny, the traffic is denied to access the instances in the security group.
- If the traffic does not match any rule, the traffic is denied to access the instances in the security group.
- If the traffic matches a rule:
Figure 1 Security group matching sequence
