Community Blog Configuring Network Access Control List (NACL) on Alibaba Cloud

Configuring Network Access Control List (NACL) on Alibaba Cloud

In this article, we will explore the similarities and differences of network access control lists (NACL) and security groups, as well as discuss how to set up network ACL on ECS instances.

By Pradeep Guda, Solutions Architect at Alibaba Cloud

Recently I encountered some questions related to Network Access Control Lists (NACLs) on Alibaba Cloud. One of the questions I noticed was "Why is Network ACL not available in Alibaba Cloud?"

In this article, I hope to clear out some confusion regarding this topic and provide you with additional insight into server security on Alibaba Cloud Elastic Compute Service (ECS).

What Is Network ACL?

By definition, a network access control list (NACL) is a table, or a list, that tells a server the access rights of a network. It is the first line of defense to block the traffic at a subnet level and it is stateless. This means that you need to open both inbound and outbound ports explicitly to allow traffic based on your needs. For example, we can set the server to allow inbound SSH traffic from your home network's public IPv4 address range by whitelisting

What Is a Security Group?

Similarly, a security group is a virtual firewall and is the last line of defense to block the traffic to your instances. It is stateful, which means outbound port is opened automatically based on your inbound port. For example, you may open Port 22 on an ECS instance to allow SSH traffic to/from that particular instance.

Difference between Network ACL and Security Groups

Network ACL Security Groups
Associated with Subnet Associated with Instance
First line of defense Last line of defense
By default, custom NACL blocks all the traffic By default, blocks all the traffic
Stateless Stateful
Inbound and outbound rules should be created explicitly Only Inbound rule should be created explicitly and outbound traffic will be allowed automatically based on the inbound state.

How Network ACL Is Incorporated in AWS and Alibaba Cloud


In AWS, we can create instances without attaching security group to it. However, this is an unsafe instance and typically not recommended, so to protect that instance, Network ACL comes into picture. Network ACL is created by default (System NACL => Allows all traffic by default Or Custom NACL => Denies all traffic by default) when a subnet is created. This Custom Network ACL will block all the traffic and you are required to open the inbound and outbound ports accordingly to allow traffic through Network ACL to your instance.

Alibaba Cloud

In Alibaba Cloud, we cannot create instance without binding it to security groups. This means that all instances come with security features by default, and as a result, there is no need for an additional layer of security in the form of Network ACL.

Alibaba Cloud Security Groups provides same functionality as that of AWS Security Groups and Network ACL combined together at an instance level.

Is It Mandatory to Use Network ACL?

No. AWS Network ACL is a completely optional security feature and almost all of the use cases can be achieved with Alibaba Cloud security groups due to the nature of its tightly coupled and simplified design. AWS Network ACL + security group security feature is based on a more loosely coupled design, which provides more flexibility to control traffic at different layers but with extra overhead in maintaining it.

So is AWS or Alibaba Cloud's approach more secure? The answer is, they are the same. Both Alibaba Cloud and AWS provide the same level of security but through different means, which is determined by their respective designs.

However, the team at Alibaba Cloud may consider supporting Network ACL as a separate service for specific use cases (Ex: Not all resources in VPC are security group attachable) in the future to help AWS users migrate seamlessly to Alibaba Cloud.

Click here to learn more about Alibaba Cloud Security Groups.

1 0 1
Share on


1 posts | 1 followers

You may also like


5747268770276286 September 25, 2019 at 2:28 am

So, to isolate subnets in a VPC, the only way is to create security groups for instances in the subnets, right?


1 posts | 1 followers

Related Products