Major point is, make the feature work just the way it worked in 2.2.x. We might will extend the functionality later on.

Feature is supported for Shared zone wide network only in Advance zone
When Advance zone is Security Group enabled ("securitygroupenabled=true" is passed to createZone API call; corresponding field is being set to true in the DB), only one Shared Zone Wide SG Enabled Guest network can be added to the zone.Any this zone + any number of Shared Account Specific SG Disabled networks can be added to the .
Shared Zone Wide SG Enabled Guest network is required in Advance SG enabled zone as CPVM/SSVM are using it.
User vm can be deployed either in Shared Zone Wide SG enabled network, or in 1-n Shared Account Specific networks. Combination of SG enabled and SG disabled networks for the same VM is not supported.
Only supported on KVM hypervisor.
Only one provider is supported - Virtual Router
SG functionality should be the same as in Basic zone in terms of Ingress/Egress rules behavior
No Isolated networks can be added to the Advance SG enabled zone. No Shared Domain wide networks are allowed either.

Feature specification

...

When create physical network traffic types, don't create Public traffic type.
The rest of the upgrade should be handled the same way we handle it for other zones

Future release plans

In the future releases we are going to:

Add support for multiple SG enabled Shared networks in Advance zone

Add support for SG in Isolated networks