Help Center/ Virtual Private Cloud/ User Guide/ Access Control/ Access Control Overview
Updated on 2026-02-26 GMT+08:00
View PDF

Access Control Overview

A VPC is your private network on the cloud. You can configure access control rules to ensure the security of instances, such as ECSs, databases, and cloud containers, running in a VPC.
  • A security group protects the instances in it.
  • Network ACLs provide an optional layer of security for your subnets and control the traffic entering and leaving their associated subnets. Compared with a security group that protects instances, a network ACL can protect an entire subnet when its rules are correctly configured. This allows all instances in a subnet to be protected.

Figure 1 shows how security groups and network ACLs are used. Security groups A and B protect the network security of ECSs. Network ACLs A and B add an additional layer of security for subnets 1 and 2.

Figure 1 Security groups and network ACLs

Differences Between Access Control Options

Table 1 provides differences between access control options. You can select one or more as needed.
Table 1 Differences between access control options

Item

Security Group

Network ACL

Protection Scope

Protects instances in a security group, such as ECSs, databases, and cloud containers.

Protects subnets and all the instances in the subnets.

Mandatory or Optional

Mandatory. Instances must be added to at least one security group.

Optional. You can determine whether to associate a subnet with a network ACL based on service requirements.

Stateful or Not

Stateful. The response traffic of inbound and outbound requests is allowed to leave and enter an instance.

Stateful. The response traffic of inbound and outbound requests is allowed to leave and enter a subnet.

Action

Does not support Allow or Deny rules.

Supports both Allow and Deny rules.

Rule Packets

Supports packet filtering based on 3-tuple (protocol, port, and source/destination address).

Supports packet filtering based on 5-tuple (protocol, source port, destination port, source address, and destination address).

Matching Rule
If an instance is associated with multiple security groups that have multiple rules:
  1. Rules are first matched based on how early a security group is associated with an instance. The security group associated earlier takes precedence over those associated later.
  2. Rules are then matched by priority in that security group. A rule with a smaller priority value has a higher priority.
  3. Deny rules take precedence over allow rules if the rules have the same priority.

A subnet can have only one network ACL associated. If there are multiple rules in a network ACL, rules are matched based on their priorities. A smaller value indicates a higher priority.

Usage
  • When creating an instance, for example, an ECS, you must select a security group. If there is no security group available, the ECS will be associated with the default security group.
  • After creating an instance, you can:
    • Add or remove the instance to or from a security group on the security group console.
    • Add or remove the instance to or from a security group on the instance console.

Selecting a network ACL is not allowed when you create a subnet. You must create a network ACL, add inbound and outbound rules, associate subnets with the network ACL, and enable the network ACL. The network ACL then protects the associated subnets and instances in the subnets.
Parent Topic: Access Control