By Pradeep Guda, Solutions Architect at Alibaba Cloud
Recently I encountered some questions related to Network Access Control Lists (NACLs) on Alibaba Cloud. One of the questions I noticed was "Why is Network ACL not available in Alibaba Cloud?"
In this article, I hope to clear out some confusion regarding this topic and provide you with additional insight into server security on Alibaba Cloud Elastic Compute Service (ECS).
By definition, a network access control list (NACL) is a table, or a list, that tells a server the access rights of a network. It is the first line of defense to block the traffic at a subnet level and it is stateless. This means that you need to open both inbound and outbound ports explicitly to allow traffic based on your needs. For example, we can set the server to allow inbound SSH traffic from your home network's public IPv4 address range by whitelisting 192.0.2.0/24.
Similarly, a security group is a virtual firewall and is the last line of defense to block the traffic to your instances. It is stateful, which means outbound port is opened automatically based on your inbound port. For example, you may open Port 22 on an ECS instance to allow SSH traffic to/from that particular instance.
| Network ACL | Security Groups |
| Associated with Subnet | Associated with Instance |
| First line of defense | Last line of defense |
| By default, custom NACL blocks all the traffic | By default, blocks all the traffic |
| Stateless | Stateful |
| Inbound and outbound rules should be created explicitly | Only Inbound rule should be created explicitly and outbound traffic will be allowed automatically based on the inbound state. |
In AWS, we can create instances without attaching security group to it. However, this is an unsafe instance and typically not recommended, so to protect that instance, Network ACL comes into picture. Network ACL is created by default (System NACL => Allows all traffic by default Or Custom NACL => Denies all traffic by default) when a subnet is created. This Custom Network ACL will block all the traffic and you are required to open the inbound and outbound ports accordingly to allow traffic through Network ACL to your instance.
In Alibaba Cloud, we cannot create instance without binding it to security groups. This means that all instances come with security features by default, and as a result, there is no need for an additional layer of security in the form of Network ACL.
Alibaba Cloud Security Groups provides same functionality as that of AWS Security Groups and Network ACL combined together at an instance level.
No. AWS Network ACL is a completely optional security feature and almost all of the use cases can be achieved with Alibaba Cloud security groups due to the nature of its tightly coupled and simplified design. AWS Network ACL + security group security feature is based on a more loosely coupled design, which provides more flexibility to control traffic at different layers but with extra overhead in maintaining it.
So is AWS or Alibaba Cloud's approach more secure? The answer is, they are the same. Both Alibaba Cloud and AWS provide the same level of security but through different means, which is determined by their respective designs.
However, the team at Alibaba Cloud may consider supporting Network ACL as a separate service for specific use cases (Ex: Not all resources in VPC are security group attachable) in the future to help AWS users migrate seamlessly to Alibaba Cloud.
Click here to learn more about Alibaba Cloud Security Groups.
JDP - April 29, 2022
Alibaba Cloud Community - March 23, 2022
Alibaba Clouder - February 25, 2020
Alibaba Clouder - January 31, 2019
JDP - March 31, 2022
Alibaba Cloud Native - April 10, 2023
Quick Starts
Deploy custom Alibaba Cloud solutions for business-critical scenarios with Quick Start templates.
Learn More
Accelerated Global Networking Solution for Distance Learning
Alibaba Cloud offers an accelerated global networking solution that makes distance learning just the same as in-class teaching.
Learn More
Networking Overview
Connect your business globally with our stable network anytime anywhere.
Learn More
Global Internet Access Solution
Migrate your Internet Data Center’s (IDC) Internet gateway to the cloud securely through Alibaba Cloud’s high-quality Internet bandwidth and premium Mainland China route.
Learn More
5747268770276286 September 25, 2019 at 2:28 am
So, to isolate subnets in a VPC, the only way is to create security groups for instances in the subnets, right?