• Virtual Private Cloud

  1. Help Center
  2. Virtual Private Cloud
  3. User Guide
  4. Security
  5. Differences Between Security Groups and Firewalls

Differences Between Security Groups and Firewalls

You can configure security groups and firewalls to increase the security of ECSs in your VPC.

  • Security groups protect ECSs.
  • Firewalls protect subnets.

For details, see Figure 1.

Figure 1 Security groups and firewalls

Table 1 describes the differences between security groups and firewalls.

Table 1 Differences between security groups and firewalls


Security Group



Operates at the ECS level.

Operates at the subnet level.


Only supports Allow rules.

Supports Allow and Deny rules.


If security group rules conflict, the overlapping elements of these rules take effect.

firewall rules conflict, the rule with the highest priority takes effect.

How to Use

Automatically applies to ECSs in the security group that is selected during ECS creation. You must select a security group when creating ECSs.

Applies to all ECSs in the subnets associated with the firewall. Selecting a firewall is not allowed during subnet creation. You must create a firewall, associate subnets with it, add inbound and outbound network rules, and enable firewall. The firewall then takes effect for the associated subnets and ECSs in the subnets.


Only supports packet filtering based on the 3-tuple (protocol, port, and peer IP address).

Only supports packet filtering based on the 5-tuple (protocol, source port, destination port, source IP address, and destination IP address).