• Virtual Private Cloud

vpc
  1. Help Center
  2. Virtual Private Cloud
  3. User Guide
  4. Security
  5. Differences Between Security Groups and Firewalls

Differences Between Security Groups and Firewalls

You can configure security groups and firewalls to increase the security of ECSs in your VPC.

  • Security groups protect ECSs.
  • Firewalls protect subnets.

For details, see Figure 1.

Figure 1 Security groups and firewalls

Table 1 describes the differences between security groups and firewalls.

Table 1 Differences between security groups and firewalls

Category

Security Group

Firewall

Targets

Operates at the ECS level.

Operates at the subnet level.

Rules

Only supports Allow rules.

Supports Allow and Deny rules.

Priority

If security group rules conflict, the overlapping elements of these rules take effect.

firewall rules conflict, the rule with the highest priority takes effect.

How to Use

Automatically applies to ECSs in the security group that is selected during ECS creation. You must select a security group when creating ECSs.

Applies to all ECSs in the subnets associated with the firewall. Selecting a firewall is not allowed during subnet creation. You must create a firewall, associate subnets with it, add inbound and outbound network rules, and enable firewall. The firewall then takes effect for the associated subnets and ECSs in the subnets.

Packets

Only supports packet filtering based on the 3-tuple (protocol, port, and peer IP address).

Only supports packet filtering based on the 5-tuple (protocol, source port, destination port, source IP address, and destination IP address).