What Is Access Control?
- A security group protects the instances in it.
- A network ACL protects associated subnets and all the resources in the subnets.
Figure 1 shows how security groups and network ACLs are used. Security groups A and B protect the network security of ECSs. Network ACLs A and B add an additional layer of defense to subnets 1 and 2.
Differences Between Security Groups and Network ACLs
Item |
Security Group |
Network ACL |
---|---|---|
Protection Scope |
Protects instances in a security group, such as ECSs, databases, and containers. |
Protects subnets and all the instances in the subnets. |
Mandatory |
Mandatory. Instance must be added to at least one security group. |
Optional. You can determine whether to associate a subnet with a network ACL based on service requirements. |
Rules |
Does not support Allow or Deny rules. |
Supports both Allow and Deny rules. |
Matching Order |
If there are conflicting rules, they are combined and applied together. |
If rules conflict, the rule with the highest priority will be applied. |
Usage |
|
Selecting a network ACL is not allowed when you create a subnet. You must create a network ACL, add inbound and outbound rules, associate subnets with it, and enable network ACL. The network ACL then protects the associated subnets and instances in the subnets. |
Packets |
Packet filtering based on the 3-tuple (protocol, port, and source/destination) is supported. |
Packet filtering based on the 5-tuple (protocol, source port, destination port, and source/destination) is supported. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot