Differences Between Security Groups and Network ACLs
You can configure security groups and network ACL to increase the security of ECSs in your VPC.
- Security groups operate at the ECS level.
- Network ACLs operate at the subnet level.
For details, see Figure 1.
Table 1 describes the differences between security groups and network ACLs.
| Category | Security Group | Network ACL |
|---|---|---|
| Targets | Operates at the ECS level. | Operates at the subnet level. |
| Rules | Only supports Allow rules. | Supports Allow and Deny rules. |
| Priority | If security group rules conflict, the overlapping elements of these rules take effect. | If rules conflict, the rule with the highest priority takes effect. |
| Usage | Automatically applies to ECSs in the security group that is selected during ECS creation. You must select a security group when creating ECSs. | Applies to all ECSs in the subnets associated with the network ACL. Selecting a network ACL is not allowed during subnet creation. You must create a network ACL, associate subnets with it, add inbound and outbound rules, and enable network ACL. The network ACL then takes effect for the associated subnets and ECSs in the subnets. |
| Packets | Only packet filtering based on the 3-tuple (protocol, port, and peer IP address) is supported. | Only packet filtering based on the 5-tuple (protocol, source port, destination port, source IP address, and destination IP address) is supported. |
Last Article: Deleting a Network ACL
Next Article: IP Address Group
Did this article solve your problem?
Thank you for your score!Your feedback would help us improve the website.