Help Center/ Cloud Firewall/ FAQs/ About the Product/ What Are the Differences Between CFW, Security Groups, and Network ACLs?
Updated on 2024-07-05 GMT+08:00

What Are the Differences Between CFW, Security Groups, and Network ACLs?

CFW, security groups, and network ACLs allow you to set access control policies based on IP addresses or IP address groups to protect your Internet borders, VPC borders, ECSs, and subnets.

Table 1 describes the differences between them.

Table 1 Differences between CFW, security groups, and network ACLs

Item

CFW

Security group

Network ACL

Definition

Cloud Firewall (CFW) is a next-generation cloud-native firewall. It protects the Internet border and VPC border on the cloud by real-time intrusion detection and prevention, global unified access control, full traffic analysis, log audit, and tracing. It employs AI for intelligent defense, and can be elastically scaled to meet changing business needs, helping you easily handle security threats. CFW is a basic service that provides network security protection for user services on the cloud.

A security group is a collection of access control rules for instances, such as cloud servers, containers, and databases, that have the same security requirements and that are mutually trusted within a VPC. You can define different access control rules for a security group, and these rules are then applied to all the instances added to this security group.

For details about security groups, see Security Groups and Security Group Rules.

A network ACL is an optional layer of security for your subnets. After you associate one or more subnets with a network ACL, you can control traffic in and out of the subnets.

For details about network ACLs, see Network ACL.

Protected objects

  • Internet boundary
  • VPC boundary
  • SNAT scenario

ECS

Subnet

Features

  • Filtering by 5-tuple (source IP address, destination IP address, protocol, source port, and destination port)
  • Filtering by geographical location, domain name, domain name group, and blacklist/whitelist
  • Intrusion prevention system (IPS) and antivirus (AV).

Filtering by 3-tuple (protocol, port, and peer IP address)

Filtering by 5-tuple (source IP address, destination IP address, protocol, source port, and destination port)