Updated on 2024-04-18 GMT+08:00

What Is Access Control?

A VPC is your private network on the cloud. You can configure security groups and network ACL rules to ensure the security of instances, such as ECSs, databases, and containers, running in a VPC.
  • A security group protects the instances in it.
  • A network ACL protects associated subnets and all the resources in the subnets.

Figure 1 shows how security groups and network ACLs are used. Security groups A and B protect the network security of ECSs. Network ACLs A and B add an additional layer of defense to subnets 1 and 2.

Figure 1 Security groups and network ACLs

Differences Between Security Groups and Network ACLs

Table 1 describes detailed differences between security groups and network ACLs.
Table 1 Differences between security groups and network ACLs

Item

Security Group

Network ACL

Protection Scope

Protects instances in a security group, such as ECSs, databases, and containers.

Protects subnets and all the instances in the subnets.

Mandatory

Mandatory. Instance must be added to at least one security group.

Optional. You can determine whether to associate a subnet with a network ACL based on service requirements.

Rules

Does not support Allow or Deny rules.

Supports both Allow and Deny rules.

Matching Order

If there are conflicting rules, they are combined and applied together.

If rules conflict, the rule with the highest priority will be applied.

Usage

  • When creating an instance, for example, an ECS, you must select a security group. If no security group is selected, the ECS will be associated with the default security group.
  • After creating an instance, you can:
    • Add or remove the instance to or from the security group on the security group console.
    • Associate or disassociate a security group with or from the instance on the instance console.

Selecting a network ACL is not allowed when you create a subnet. You must create a network ACL, add inbound and outbound rules, associate subnets with it, and enable network ACL. The network ACL then protects the associated subnets and instances in the subnets.

Packets

Packet filtering based on the 3-tuple (protocol, port, and source/destination) is supported.

Packet filtering based on the 5-tuple (protocol, source port, destination port, and source/destination) is supported.