Multiple secondary elastic network interfaces (ENIs) can be bound to an Elastic Compute Service (ECS) instance. In a virtual private cloud (VPC), the secondary ENIs bound to an ECS instance can be added to security groups that are different from the security groups to which the primary ENI is added. To implement fine-grained access control on the secondary ENIs, you can configure security group rules for each ENI based on the source IP address, application-layer protocol, and port range. This topic describes how to associate a secondary ENI with security groups for an ECS instance.
Limits
A secondary ENI must be associated with at least one security group. Each secondary ENI of an ECS instance can be associated with a limited number of security groups. For more information, see the Security groups section of the "Limits" topic.
The secondary ENIs of an ECS instance and the security groups to which you want to add the secondary ENIs must use the same network type. If the secondary ENIs of the ECS instance and the security groups use the VPC network type, they must belong to the same VPC.
A secondary ENI can be added only to security groups that are of the same type (basic or advanced). For more information, see Basic security groups and advanced security groups.
Add a secondary ENI to or remove a secondary ENI from security groups
Go to ECS console - Elastic Network Interfaces.
In the top navigation bar, select the region and resource group of the resource that you want to manage. 
Find the secondary ENI that you want to manage. In the Operation column, click Change Security Groups.
In the Change Security Groups dialog box, change the security groups to which you want to add the secondary ENI.
To add the secondary ENI to security groups that are not associated with the ENI, select the security groups from the Security Group drop-down list and click Confirm.
To remove the secondary ENI from specific security groups, delete the security groups from the Security Group field and click Confirm.
Add a secondary ENI to or remove a secondary ENI from a specific security group
You can add a secondary ENI to or remove a secondary ENI from a security group based on your business requirements.
Go to ECS console - Security Groups.
In the top navigation bar, select the region and resource group of the resource that you want to manage.
Find the security group that you want to manage. In the Operation column, choose 
> Manage ENIs.
On the Secondary ENIs tab of the security group, add a secondary ENI to or remove a secondary ENI from the security group.
To add a secondary ENI to the security group, click Add ENI to Security Group. In the Add ENI to Security Group dialog box, enter the ENI ID or name in the ENI field, select the ENI, and then click Confirm.
To remove one or more secondary ENIs from the security group, select the secondary ENIs that you want to remove and click Remove from Security Group in the lower part of page. In the Remove from Security Group message, click OK.
Query secondary ENIs that are associated with a security group
Go to ECS console - Security Groups.
In the top navigation bar, select the region and resource group of the resource that you want to manage.
Find the security group that you want to manage. In the Operation column, choose > Manage ENIs.
On the Secondary ENIs tab, view all secondary ENIs that are associated with the security group.
Elastic Compute Service (ECS)
Lingma
