A security group is a virtual internal firewall that is provided by Elastic Compute Service (ECS) to control the traffic between ECS instances.

Cloud Firewall provides the Internet firewall to control the traffic at the Internet boundaries, virtual private cloud (VPC) firewalls to control the traffic between VPCs, and internal firewalls to control the traffic between ECS instances.

Internal firewalls that are provided by Cloud Firewall use the technology of security groups. The policies that are configured on the Internal Firewall tab of the Access Control page in the Cloud Firewall console are automatically synchronized with the policies that are configured on the Security Groups page in the ECS console.

Unique features of Cloud Firewall

  • Application-based access control. For example, you can allow HTTP traffic so that HTTP services can run on any port.
  • Domain name-based access control. For example, you can allow ECS instances to send requests only to *.aliyun.com.
  • Intrusion prevention. Cloud Firewall prevents against common system vulnerabilities and brute-force attacks.
  • The monitor mode of access control policies.
  • Complete traffic logs and real-time traffic analysis.

Enhanced features of Cloud Firewall

Cloud Firewall provides the following enhancements to security groups:
  • If no policy is set to allow in a policy group, the ECS instances in the policy group cannot communicate with each other.
    Note After all policies in a policy group are deleted, the policy group is considered as a policy group to which no policies have been added.
  • The number of policies configured for internal firewalls (rules in ECS security groups) is limited. To ensure security, you can configure access control policies for VPC firewalls. This way, fewer policies need to be configured for internal firewalls. You can also increase the quota of access control policies for VPC firewalls. To increase the quota, submit a ticket.