What is the difference between an "Ingress rule" and a "Group to Group rule"?

Ingress rules are firewall rules that allow traffic from outside to communicate with the virtual machines within Stratosphere. They are based on specific IP addresses or range of addresses, and unique TCP (or UDP, or ICMP) port or range of ports. 

Group-to-group rules allow traffic from one collection of virtual machines to another collection of virtual machines.

For example, if you want everyone to be able to connect to your web server, you would open the HTTP and HTTPS protocols (TCP ports 80 and 443) on your web servers to all IP addresses everywhere. You would do this by creating an ingress rule under a security group that has been assigned to those web servers. If, however, you want your web servers to be able to communicate with your database servers but not allow access to anyone else, you would create a group-to-group rule under a security group that has been assigned only to those database servers.