What Are the Differences Between CFW, Security Groups, and Network ACLs?
CFW, security groups, and network ACLs allow you to set access control policies based on IP addresses or IP address groups to protect your Internet borders, VPC borders, ECSs, and subnets.
Table 1 describes the differences between them.
Item |
CFW |
Security group |
Network ACL |
---|---|---|---|
Definition |
Cloud Firewall (CFW) is a next-generation cloud-native firewall. It protects the Internet border and VPC border on the cloud by real-time intrusion detection and prevention, global unified access control, full traffic analysis, log audit, and tracing. It employs AI for intelligent defense, and can be elastically scaled to meet changing business needs, helping you easily handle security threats. CFW is a basic service that provides network security protection for user services on the cloud. |
A security group is a collection of access control rules for instances, such as cloud servers, containers, and databases, that have the same security requirements and that are mutually trusted within a VPC. You can define different access control rules for a security group, and these rules are then applied to all the instances added to this security group. For details about security groups, see Security Groups and Security Group Rules. |
A network ACL is an optional layer of security for your subnets. After you associate one or more subnets with a network ACL, you can control traffic in and out of the subnets. For details about network ACLs, see Network ACL. |
Protected objects |
|
ECS |
Subnet |
Features |
|
Filtering by 3-tuple (protocol, port, and peer IP address) |
Filtering by 5-tuple (source IP address, destination IP address, protocol, source port, and destination port) |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.