Help Center/ Virtual Private Cloud/ Best Practices/ VPC Security/ Using Security Groups and Network ACLs to Control Traffic
Updated on 2024-08-07 GMT+08:00
View PDF

Using Security Groups and Network ACLs to Control Traffic

A VPC is your private network on the cloud. You can configure security groups and network ACL rules to ensure the security of instances, such as ECSs, databases, and containers, running in a VPC.
  • A security group protects the instances in it.
  • A network ACL protects associated subnets and all the resources in the subnets.

As shown in Figure 1, security groups A and B protect the network security of ECSs. Network ACLs A and B add an additional layer of defense to ECSs in subnets 1 and 2.

Figure 1 Security groups and network ACLs
Here are some common access control configuration examples:

Allowing Traffic from Given IP Addresses or a Security Group

You can add inbound rules to allow traffic from specific IP addresses and other security groups. As you can see in Figure 2, there are two subnets (Subnet-A and Subnet-B) in VPC-X. ECSs in Subnet-A are associated with security group Sg-A, and ECSs in Subnet-B are associated with security group Sg-B.
  • Add inbound rule A01 to Sg-A to allow traffic from IP addresses in 172.16.0.0/24 to access SSH port 22 on the ECSs in Sg-A for remotely logging in to these ECSs.
  • Add inbound rule B01 to Sg-B to allow the ECSs in Sg-A to access SSH port 22 on the ECSs in Sg-B for remotely logging in to the ECSs in Subnet-B.
Figure 2 Allowing traffic from given IP addresses and security groups

Allowing Traffic from a Virtual IP Address

You can add inbound rules to allow traffic from virtual IP addresses and other security groups. In Figure 3, there are two subnets (Subnet-A and Subnet-B) in VPC-X. ECSs in Subnet-A are associated with security group Sg-A, and ECSs in Subnet-B are associated with security group Sg-B.
  • Add inbound rule A01 to Sg-A to allow the ECSs in Sg-B to access the ECSs in Sg-A using private IP addresses.
  • Add inbound rule B01 to Sg-B to allow traffic from virtual IP address 192.168.0.21 to the ECSs in Sg-B using any protocol over any port. You can also set the source to the CIDR block of Subnet-A (192.168.0.0/24).

    Do not add rules like rule B02. This rule allows the ECSs in Sg-A to access the ECSs in Sg-B using private IP addresses but not virtual IP address 192.168.0.21.

Figure 3 Allowing traffic from a virtual IP address

Allowing Communications Between Instances in Two VPCs Connected by a VPC Peering Connection

In Figure 4, VPC-A and VPC-B are connected by VPC peering connection peering-AB. To allow ECSs in Sg-A and Sg-B to communicate with each other, you can add the following rules:
  • Rule A01 with Source to Sg-B to allow ECSs in Sg-B to access ECSs in Sg-A.
  • Rule B01 with Source to Sg-A to allow ECSs in Sg-A to access ECSs in Sg-B.
Figure 4 Allowing communications between ECSs in two VPCs connected by a VPC peering connection

Controlling External Access to Instances in a Subnet

A network ACL controls traffic in and out of a subnet. If both security group and network ACL rules are configured, traffic matches network ACL rules first and then security group rules.

As shown in Figure 5, ECS-A01 and ECS-A02 in Subnet-A need to communicate with each other, and the instance with the IP address 10.1.0.5/32 needs to be whitelisted to allow it to remotely log in to ECS-A01 and ECS-A02 to perform O&M operations. The whitelisted instance can be a local PC, an instance in a different subnet of VPC-A, or an instance in another VPC. You need to configure network ACL and security group rules to allow the whitelisted instance to access ECSs in VPC-A and deny any other traffic.
  • Network ACL rules:
    • Inbound rule: Custom rule A01 allows the whitelisted instance to remotely log in to the instances in Subnet-A over SSH. The default rule denies any other traffic to the subnet.
    • Outbound rule: Network ACLs are stateful. The responses to inbound requests are allowed to leave the subnet. This means you do not need to additionally add outbound rules to allow such response traffic. The default rule denies any other outbound traffic.
  • Security group rules:
    • Inbound rule: Rule A01 allows the whitelisted instance to remotely log in to instances in Subnet-A over SSH. Rule A02 allows instances in the security group to communicate with each other. Other traffic is denied to access the instances in security group Sg-A.
    • Outbound rule: Rule A03 allows instances in Sg-A to access external resources.
Figure 5 Controlling external access to instances in a subnet

Controlling Communications Between Instances in Different Subnets

In this example, VPC-X has two subnets: Subnet-X01 and Subnet-X02. ECS-01 and ECS-02 work in Subnet-X01, and ECS-03 works in Subnet-X02. Suppose you want to:
  • Connect ECS-02 to ECS-03.
  • Isolate ECS-01 from ECS-03.
To achieve this purpose, you need to configure security group and network ACL rules as follows:
  1. Add inbound and outbound rules to Sg-A to ensure that the ECSs in this security group can communicate with each other.

    The subnet has not been associated with a network ACL, so after the security group rules are added, both ECS-01 and ECS-02 can communicate with ECS-03.

  2. Associate Subnet-X01 and Subnet-X02 with Fw-A.

    If there is only the default rule in Fw-A, instances in the same subnet can communicate with each other, while instances in different subnets are isolated from each other. In this case, ECS-01 and ECS-02 can communicate with each other, while ECS-01 and ECS-03 as well as ECS-02 and ECS-03 are isolated from each other.

  3. Add custom rules to Fw-A to allow ECS-02 to communicate with ECS-03.
    • Add custom rule A01 to allow ECS-03 to access Subnet-X01.
    • Add custom rule A02 to allow ECS-02 to access Subnet-X02.
    • Add custom rule A03 to allow traffic destined for ECS-03 to leave Subnet-X01.
    • Add custom rule A04 to allow traffic destined for ECS-02 to leave Subnet-X02.
Figure 6 Controlling communications between instances in different subnets
Parent topic: VPC Security