Access Control Overview

A VPC is your private network on the cloud. You can configure security groups and network ACL rules to ensure the security of instances, such as ECSs, databases, and containers, running in a VPC.

A security group protects the instances in it.
A network ACL protects associated subnets and all the resources in the subnets.

Figure 1 shows how security groups and network ACLs are used. Security groups A and B protect the network security of ECSs. Network ACLs A and B add an additional layer of defense to subnets 1 and 2.

Figure 1 Security groups and network ACLs

Differences Between Access Control Options

Table 1 provides differences between access control options. You can select one or more as needed.

**Table 1** Differences between access control options
Item	Security Group	Network ACL
Protection Scope	Protects instances in a security group, such as ECSs, databases, and containers.	Protects subnets and all the instances in the subnets.
Mandatory	Yes. Instances must be added to at least one security group.	No. You can determine whether to associate a subnet with a network ACL based on service requirements.
Stateful	Yes. The response traffic of inbound and outbound requests is allowed to flow to and leave an instance.	Yes. The response traffic of inbound and outbound requests is allowed to flow to and leave a subnet.
Rules	Allow or Deny rules not supported	Supports both Allow and Deny rules.
Rule Packets	Packet filtering based on the 3-tuple (protocol, port, and source/destination)	Packet filtering based on the 5-tuple (protocol, source port, destination port, source, and destination)
Matching Order	If an instance is associated with multiple security groups that have multiple rules: Rules are first matched based on the sequence each security group associated with the instance. Security groups with lower sequence numbers have higher priorities. Rules are then matched by priority in that security group. Rules with lower values have higher priorities than those with higher values. Deny rules take precedence over allow rules if the rules have the same priority.	A subnet can have only one network ACL associated. If there are multiple rules, traffic is matched based on the rule priority. A smaller value indicates a higher priority.
Usage	When creating an instance, for example, an ECS, you must select a security group. If no security group is selected, the ECS will be associated with the default security group. After creating an instance, you can: Add or remove the instance to or from a security group on the security group console. Add or remove the instance to or from a security group on the instance console.	Selecting a network ACL is not allowed when you create a subnet. You must create a network ACL, add inbound and outbound rules, associate subnets with and enable the network ACL. The network ACL then protects the associated subnets and instances in the subnets.