I didn't try to reproduce this yet but I think that what happened here is:
1. By default in security group there is rule to accept ingress traffic from all other ports which uses same security group,
2. When You added this allowed_address_pair, security group rules (allowed source IPs) where updated for all other ports which use same SG - and because of that You had such bad rule in iptables.
If I am right, You should be able to remove this wrong rule from all ports by just removing from security group rules which allows traffic from "remote_group_id".
Also if that is the problem, disabling ipsets will not help to workaround this as such rules still will be added directly in iptables chains.
And also I think that in such case openvswitch firewall driver will also be impacted.
I didn't try to reproduce this yet but I think that what happened here is: address_ pair, security group rules (allowed source IPs) where updated for all other ports which use same SG - and because of that You had such bad rule in iptables.
1. By default in security group there is rule to accept ingress traffic from all other ports which uses same security group,
2. When You added this allowed_
If I am right, You should be able to remove this wrong rule from all ports by just removing from security group rules which allows traffic from "remote_group_id".
Also if that is the problem, disabling ipsets will not help to workaround this as such rules still will be added directly in iptables chains.
And also I think that in such case openvswitch firewall driver will also be impacted.