Updated on 2025-06-10 GMT+08:00

Migrating Security Groups Across Regions or Accounts

A security group controls the traffic that is allowed to reach and leave the cloud instances (such as ECSs, containers, and databases) that it is associated with. As your business expands, for example, you need to deploy resources across regions or change accounts due to organizational structure adjustment, you may need to migrate security groups from one region to another or from one account to another. To migrate security groups efficiently, you are advised to import and export security groups or clone security groups. Table 1 describes the two migration methods.
Table 1 Cross-region and cross-account security group migration

Method

Scenario

Description

Constraints

Reference

Importing and exporting security group rules

  • Account: Migrating under the same account or across accounts
  • Region: Migrating within the same region or across regions
  1. Export the rules of the original security group to an Excel file.
  2. Create a new security group.
  3. Import the rules in the Excel file to the new security group.
  4. Manually add rules that cannot be imported.
  • If you import rules to a security group from the same region and under the same account, you can import all rules. If there are rules that already exist in the security group, they will not be imported again.
  • If you want to import rules of the security group in one region to another under the same account, rules with Source or Destination set to an IP address group or another security group cannot be imported.
  • If you want to import rules of the security group in one account to another account, rules with Source or Destination set to an IP address group or another security group cannot be imported.

Creating a Security Group

Importing and Exporting Security Group Rules

Adding a Security Group Rule

Cloning a security group

  • Account: Migrating under the same account
  • Region: Migrating within the same region or across regions
  1. Select the original security group and clone it in the target region.
  2. Manually add rules that cannot be cloned.
  • If you want to clone a security group from the same region, you can clone all rules in the security group.
  • If you want to clone a security group from a different region, the system will clone only rules with source or destination set to IP addresses or the current security group. Rules with source or destination set to an IP address group or another security group will not be cloned.

Cloning a Security Group

Adding a Security Group Rule