Help Center> Virtual Private Cloud> FAQ> Security> Does a Security Group Rule or a Network ACL Rule Immediately Take Effect for Its Original Traffic After It Is Modified?
View PDF

Does a Security Group Rule or a Network ACL Rule Immediately Take Effect for Its Original Traffic After It Is Modified?

  • Security groups are stateful. Responses to outbound traffic are allowed to go in to the instance regardless of inbound security group rules, and vice versa. Security groups use connection tracking to track traffic information about traffic to and from instances. If a security group rule is added, deleted, or modified, or an instance in the security group is created or deleted, the connection tracking of all instances in the security group will be automatically cleared. In this case, the inbound or outbound traffic of the instance is considered as new connections, which need to match the inbound or outbound security group rules to ensure that the rules take effect immediately and the security of incoming traffic.
  • A modified network ACL rule will not immediately take effect for its original traffic. You need to interrupt the original traffic for about 120 seconds for the new rule to take effect for the traffic. To ensure that the traffic is immediately interrupted after the rule is changed, it is recommended that you configure security group rules.
Parent topic: Security