Differences Between Security Groups and Firewalls

You can configure security groups and firewalls to increase the security of ECSs in your VPC.

  • Security groups operate at the ECS level.

  • Firewalls protect associated subnets and all the resources in the subnets.

For details, see Figure 1.

**Figure 1** Security groups and firewalls

Figure 1 Security groups and firewalls

Table 1 describes the differences between security groups and firewalls.

Table 1 Differences between security groups and firewalls

Category

Security Group

Firewall

Scope

Operates at the ECS level.

Operates at the subnet level.

Rules

Does not support Allow or Deny rules.

Supports both Allow and Deny rules.

Priority

If there are conflicting rules, they are combined and applied together.

If rules conflict, the rule with the highest priority takes effect.

Usage

Automatically applies to ECSs in the security group that is selected during ECS creation. You must select a security group when creating ECSs.

Applies to all ECSs in the subnets associated with the firewall. Selecting a firewall is not allowed during subnet creation. You must create a firewall, associate subnets with it, add inbound and outbound rules, and enable firewall. The firewall then takes effect for the associated subnets and ECSs in the subnets.

Packets

Only packet filtering based on the 3-tuple (protocol, port, and peer IP address) is supported.

Only packet filtering based on the 5-tuple (protocol, source port, destination port, source IP address, and destination IP address) is supported.