By Pradeep Guda, Solutions Architect at Alibaba Cloud
Recently I encountered some questions related to Network Access Control Lists (NACLs) on Alibaba Cloud. One of the questions I noticed was "Why is Network ACL not available in Alibaba Cloud?"
In this article, I hope to clear out some confusion regarding this topic and provide you with additional insight into server security on Alibaba Cloud Elastic Compute Service (ECS).
By definition, a network access control list (NACL) is a table, or a list, that tells a server the access rights of a network. It is the first line of defense to block the traffic at a subnet level and it is stateless. This means that you need to open both inbound and outbound ports explicitly to allow traffic based on your needs. For example, we can set the server to allow inbound SSH traffic from your home network's public IPv4 address range by whitelisting 192.0.2.0/24.
Similarly, a security group is a virtual firewall and is the last line of defense to block the traffic to your instances. It is stateful, which means outbound port is opened automatically based on your inbound port. For example, you may open Port 22 on an ECS instance to allow SSH traffic to/from that particular instance.
|Network ACL||Security Groups|
|Associated with Subnet||Associated with Instance|
|First line of defense||Last line of defense|
|By default, custom NACL blocks all the traffic||By default, blocks all the traffic|
|Inbound and outbound rules should be created explicitly||Only Inbound rule should be created explicitly and outbound traffic will be allowed automatically based on the inbound state.|
In AWS, we can create instances without attaching security group to it. However, this is an unsafe instance and typically not recommended, so to protect that instance, Network ACL comes into picture. Network ACL is created by default (System NACL => Allows all traffic by default Or Custom NACL => Denies all traffic by default) when a subnet is created. This Custom Network ACL will block all the traffic and you are required to open the inbound and outbound ports accordingly to allow traffic through Network ACL to your instance.
In Alibaba Cloud, we cannot create instance without binding it to security groups. This means that all instances come with security features by default, and as a result, there is no need for an additional layer of security in the form of Network ACL.
Alibaba Cloud Security Groups provides same functionality as that of AWS Security Groups and Network ACL combined together at an instance level.
No. AWS Network ACL is a completely optional security feature and almost all of the use cases can be achieved with Alibaba Cloud security groups due to the nature of its tightly coupled and simplified design. AWS Network ACL + security group security feature is based on a more loosely coupled design, which provides more flexibility to control traffic at different layers but with extra overhead in maintaining it.
So is AWS or Alibaba Cloud's approach more secure? The answer is, they are the same. Both Alibaba Cloud and AWS provide the same level of security but through different means, which is determined by their respective designs.
However, the team at Alibaba Cloud may consider supporting Network ACL as a separate service for specific use cases (Ex: Not all resources in VPC are security group attachable) in the future to help AWS users migrate seamlessly to Alibaba Cloud.
Click here to learn more about Alibaba Cloud Security Groups.
Alibaba Clouder - February 25, 2020
Alibaba Clouder - January 31, 2019
Alibaba Clouder - July 19, 2019
Alibaba Clouder - December 7, 2018
Alibaba Clouder - April 10, 2019
Alibaba Clouder - December 6, 2017
Deploy custom Alibaba Cloud solutions for business-critical scenarios with Quick Start templates.Learn More
An end-to-end software-defined network solution for multinational enterprises.Learn More
SmartAG provides an end-to-end cloud deployment solution for connecting hardware and software to Alibaba Cloud.Learn More
Connect your business globally with our stable network anytime anywhere.Learn More