What Is Access Control?

A VPC is your private network on the cloud. You can configure security groups and network ACL rules to ensure the security of instances, such as ECSs, databases, and containers, running in a VPC.

A security group protects the instances in it.
A network ACL protects associated subnets and all the resources in the subnets.

Figure 1 shows how security groups and network ACLs are used. Security groups A and B protect the network security of ECSs. Network ACLs A and B add an additional layer of defense to subnets 1 and 2.

Figure 1 Security groups and network ACLs

Differences Between Security Groups and Network ACLs

Table 1 describes detailed differences between security groups and network ACLs.

**Table 1** Differences between security groups and network ACLs
Item	Security Group	Network ACL
Protection Scope	Protects instances in a security group, such as ECSs, databases, and containers.	Protects subnets and all the instances in the subnets.
Mandatory	Mandatory. Instance must be added to at least one security group.	Optional. You can determine whether to associate a subnet with a network ACL based on service requirements.
Rules	Supports both Allow and Deny rules. Allow: allows the matched traffic to flow in or out of the instances. Deny: denies the matched traffic to flow in or out of the instances.	Supports both Allow and Deny rules. Allow: allows the matched traffic to flow in or out of the subnet. Deny: denies the matched traffic to flow in or out of the subnet.
Matching Order	If an instance is associated with multiple security groups that have multiple rules: Rules are first matched based on the sequence each security group is associated with an instance. Security groups with lower sequence numbers have higher priorities. Rules are then matched by priority in that security group. Rules with lower values have higher priorities than those with higher values. Deny rules take precedence over allow rules if the rules have the same priority.	A subnet can only have one network ACL. If there are multiple rules, the rules are processed based on their priorities. A smaller value indicates a higher priority.
Usage	When creating an instance, for example, an ECS, you must select a security group. If no security group is selected, the ECS will be associated with the default security group. After creating an instance, you can: Add or remove the instance to or from the security group on the security group console. Associate or disassociate a security group with or from the instance on the instance console.	Selecting a network ACL is not allowed when you create a subnet. You must create a network ACL, add inbound and outbound rules, associate subnets with it, and enable network ACL. The network ACL then protects the associated subnets and instances in the subnets.
Packets	Packet filtering based on the 3-tuple (protocol, port, and source/destination) is supported.	Packet filtering based on the 5-tuple (protocol, source port, destination port, and source/destination) is supported.

How Traffic Matches Security Group and Network ACL Rules

If both security group and network ACL rules are configured, traffic matches network ACL rules first and then security group rules. Figure 2 describes how inbound traffic matches security group and network ACL rules.

Traffic first matches network ACL rules.
- If the traffic does not match any rule, the default rule is applied, and traffic to the subnet is denied.
- If the traffic matches a rule, the rule is applied, which determines where the traffic will go.
  - If Action is set to Deny, the traffic to the subnet is denied.
  - If Action is set to Allow, the traffic to the subnet is allowed.
The traffic continues to match the security group rules.
1. If an instance is associated with multiple security groups, the traffic first matches rules in the security group with the lowest sequence number.
  1. If the traffic does not match any rule, it is denied to access the instance.
  2. If the traffic matches a rule, the rule determines where the traffic will go.
    - If Action is set to Deny, the traffic is denied to access the instance.
    - If Action is set to Allow, the traffic is allowed to access the instance.
2. If the traffic fails to match the rules in the first security group, it continues to match the rules in the second security group.
3. If the traffic does not match the rules of all security groups, the traffic is denied.

Figure 2 How inbound traffic matches security group and network ACL rules

As shown in Figure 3, there is a subnet (Subnet-A) in VPC-A, and two ECSs (ECS-A and ECS-B) are running in this subnet. To protect your resources in VPC-A, you:

Associate a network ACL (Fw-A) with Subnet-A. The default rules in Fw-A cannot be deleted. Traffic preferentially matches the rules you have configured. Table 2 shows some example rules.
Create a security group Sg-A to protect the ECSs. When creating security group Sg-A, you can select an existing template. The template comes with some default rules. You can modify or delete default rules, or add rules. For details about security group rules, see Table 3.

Figure 3 How inbound traffic matches security group and network ACL rules

**Table 2** Rules configured for Fw-A
Direction	Priority	Type	Action	Protocol	Source	Source Port Range	Destination	Destination Port Range	Description
Inbound	1	IPv4	Deny	All	10.0.1.0/24	All	0.0.0.0/0	All	Custom rule A01: denies traffic from 10.0.1.0/24 to the subnet.
Inbound	2	IPv4	Allow	TCP	0.0.0.0/0	All	0.0.0.0/0	80-85	Custom rule A02: allows all TCP traffic to the ECS in the subnet over ports 80 to 85.
Inbound	*	--	Deny	All	0.0.0.0/0	All	0.0.0.0/0	All	Default rule: denies all inbound traffic.
Outbound	1	IPv4	Allow	All	0.0.0.0/0	All	0.0.0.0/0	All	Custom rule A03: allows all outbound traffic.
Outbound	*	--	Deny	All	0.0.0.0/0	All	0.0.0.0/0	All	Default rule: denies all outbound traffic.

**Table 3** Rules configured for Sg-A
Direction	Priority	Action	Type	Protocol & Port	Source/Destination	Description
Inbound	1	Allow	IPv4	TCP: 80	Source: 0.0.0.0/0	Rule A01: allows all IPv4 traffic to the ECS over port 80.
Inbound	1	Deny	IPv4	TCP: 82-83	Source: 0.0.0.0/0	Rule A02: denies all IPv4 traffic to the ECS over ports 82 and 83.
Inbound	1	Allow	IPv4	All	Source: current security group (Sg-A)	Rule A03: allows all IPv4 traffic in the security group so the ECS can communicate with other instances in the security group.
Inbound	1	Allow	IPv6	All	Source: current security group (Sg-A)	Rule A04: allows all IPv6 traffic in the security group so the ECS can communicate with other instances in the security group.
Outbound	1	Allow	IPv4	All	Destination: 0.0.0.0/0	Rule A05: allows all traffic from the ECS in the security group to any IPv4 address.
Outbound	1	Allow	IPv6	All	Destination: ::/0	Rule A06: allows all traffic from the ECS in the security group to any IPv6 address.

Based on the preceding scenarios, different inbound packets match rules as follows:

Packet 01: If no custom rules in Fw-A are matched, the default rule is applied, denying packet 01 to the subnet.
Packet 02: If custom rule A01 in Fw-A is matched, this rule is applied, denying packet 02 to the subnet.
Packet 03: If custom rule A02 in Fw-A is matched, this rule is applied, allowing packet 03 to the subnet. Packet 03 continues to match the security group rules. If it does not match any inbound rule in Sg-A, packet 03 is denied.
Packet 04: If custom rule A02 in Fw-A is matched, this rule is applied, allowing packet 04 to the subnet. Packet 04 continues to match the security group rules. If it matches rule A02 in Sg-A, packet 04 is denied.
Packet 05: If custom rule A02 in Fw-A is matched, this rule is applied, allowing packet 05 to the subnet. Packet 05 continues to match the security group rules. If it matches rule A01 in Sg-A, packet 05 is allowed.