What Is Access Control?
- A security group protects the instances in it.
- A network ACL protects associated subnets and all the resources in the subnets.
Figure 1 shows how security groups and network ACLs are used. Security groups A and B protect the network security of ECSs. Network ACLs A and B add an additional layer of defense to subnets 1 and 2.
Differences Between Security Groups and Network ACLs
Item |
Security Group |
Network ACL |
---|---|---|
Protection Scope |
Protects instances in a security group, such as ECSs, databases, and containers. |
Protects subnets and all the instances in the subnets. |
Mandatory |
Mandatory. Instance must be added to at least one security group. |
Optional. You can determine whether to associate a subnet with a network ACL based on service requirements. |
Rules |
Does not support Allow or Deny rules. |
Supports both Allow and Deny rules. |
Matching Order |
If an instance is associated with multiple security groups that have multiple rules:
|
A subnet can only have one network ACL. If there are multiple rules, the rules are processed based on their priorities. A smaller value indicates a higher priority. |
Usage |
|
Selecting a network ACL is not allowed when you create a subnet. You must create a network ACL, add inbound and outbound rules, associate subnets with it, and enable network ACL. The network ACL then protects the associated subnets and instances in the subnets. |
Packets |
Packet filtering based on the 3-tuple (protocol, port, and source/destination) is supported. |
Packet filtering based on the 5-tuple (protocol, source port, destination port, and source/destination) is supported. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.