Differences Between Security Groups and Network ACLs

You can configure network ACL and security group rules to protect the instances in your VPC, such as ECSs, CCI instances, and databases.

A security group protects the instances in it.
A network ACL protects associated subnets and all the resources in the subnets.

Figure 1 shows how security groups and network ACLs work. In Figure 1, security groups A and B protect the network security of ECSs. Network ACLs A and B add an additional layer of defense to subnets 1 and 2.

Figure 1 Security groups and network ACLs

Table 1 describes the differences between security groups and network ACLs.

**Table 1** Differences between security groups and network ACLs
Category	Security Group	Network ACL
Protection Scope	Protects instances in a security group, such as ECSs, CCI instances, and databases.	Protects subnets and all the instances in the subnets.
Rules	Does not support Allow or Deny rules.	Supports both Allow and Deny rules.
Matching Order	If there are conflicting rules, they are combined and applied together.	If rules conflict, the rule with the highest priority takes effect.
Usage	When creating an instance, such as an ECS, you must select a security group. If you do not have a security group, a default security group will be created for you. After creating an instance, you can: Add or remove the instance to or from the security group on the security group console. Associate or disassociate a security group with or from the instance on the instance console.	Selecting a network ACL is not allowed when you create a subnet. You must create a network ACL, add inbound and outbound rules, associate subnets with it, and enable network ACL. The network ACL then protects the associated subnets and instances in the subnets.
Packets	Packet filtering based on the 3-tuple (protocol, port, and source/destination) is supported.	Packet filtering based on the 5-tuple (protocol, source port, destination port, and source/destination) is supported.