Security group rules use the whitelist mechanism. If multiple security group rules conflict, the rules are aggregated to take effect.