Access Control Overview

A VPC is your private network on the cloud. You can configure security groups and network ACL rules to ensure the security of instances, such as ECSs, databases, and containers, running in a VPC.

A security group protects the instances in it.
A network ACL protects associated subnets and all the resources in the subnets.

Figure 1 shows how security groups and network ACLs are used. Security groups A and B protect the network security of ECSs. Network ACLs A and B add an additional layer of defense to subnets 1 and 2.

Figure 1 Security groups and network ACLs

Differences Between Access Control Options

Table 1 provides differences between access control options. You can select one or more as needed.

Table 1 Differences between access control options
Item	Security Group	Network ACL
Protection Scope	Protects instances in a security group, such as ECSs, databases, and containers.	Protects subnets and all the instances in the subnets.
Mandatory or Optional	Mandatory. Instances must be added to at least one security group.	Optional. You can determine whether to associate a subnet with a network ACL based on service requirements.
Stateful	Stateful. The response traffic of inbound and outbound requests is allowed to flow to and out of an instance.	Stateful. The response traffic of inbound and outbound requests is allowed to flow to and out of a subnet.
Action	Supports both Allow and Deny rules. Allow: allows the matched traffic to flow in or out of the instances. Deny: denies the matched traffic to flow in or out of the instances.	Supports both Allow and Deny rules. Allow: allows the matched traffic to flow in or out of the subnet. Deny: denies the matched traffic to flow in or out of the subnet.
Rule Packets	Packet filtering based on 3-tuple (protocol, port, and source/destination)	Packet filtering based on 5-tuple (protocol, source port, destination port, source, and destination)
Matching Rule	If an instance is associated with multiple security groups that have multiple rules: Rules are first matched based on how early a security group is associated with an instance. The security group associated earlier takes precedence over those associated later. Rules are then matched by priority in that security group. A rule with a smaller value has a higher priority. Deny rules take precedence over allow rules if the rules have the same priority.	A subnet can have only one network ACL associated. If there are multiple rules, traffic is matched based on the rule priority. A smaller value indicates a higher priority.
Usage	When creating an instance, for example, an ECS, you must select a security group. If no security group is selected, the ECS will be associated with the default security group. After creating an instance, you can: Add or remove the instance to or from a security group on the security group console. Add or remove the instance to or from a security group on the instance console.	Selecting a network ACL is not allowed when you create a subnet. You must create a network ACL, add inbound and outbound rules, associate subnets with the network ACL, and enable the network ACL. The network ACL then protects the associated subnets and instances in the subnets.

Parent topic: Access Control

Была ли эта статья полезна?

Поддержка Юридические документы