To ensure the data security of your resources, you need to regulate access to your virtual private clouds (VPCs) so that only trusted users can access or manage your resources.
Overview
You can enable access control by using one of the following features:
Network access control list (ACL): allows you to manage network access in a VPC. You can create a network ACL in a VPC and add inbound and outbound rules to the network ACL. After you create a network ACL, you can associate it with a vSwitch. This way, you can use the network ACL to control the traffic that flows through the Elastic Compute Service (ECS) instances in the vSwitch. For more information about network ACLs, see Network ACL overview.
Security group: serves as a virtual firewall that is used to control the inbound and outbound traffic of ECS instances in a security group. This improves the security of ECS instances. For more information, see Overview.
Use network ACLs
A network ACL allows you to manage network access in a VPC. You can create a network ACL in a VPC and add inbound and outbound rules to the network ACL. After you create a network ACL, you can associate it with a vSwitch. This way, you can use the network ACL to control the traffic that flows through the ECS instances in the vSwitch.
Configure a network ACL
You can configure a network ACL by using one of the following methods:
Log on to the VPC console: For more information about how to configure a network ACL in the VPC console, see Work with a network ACL.
Call API operations: You can call the following API operations to manage a network ACL.
CreateNetworkAcl: creates a network ACL.
AssociateNetworkAcl: associates a network ACL with a vSwitch.
ModifyNetworkAclAttributes: modifies a network ACL.
DescribeNetworkAcls: queries network ACLs.
UpdateNetworkAclEntries: updates network ACL rules.
DescribeNetworkAclAttributes: queries details about a network ACL.
UnassociateNetworkAcl: disassociates a network ACL from a vSwitch.
CopyNetworkAclEntries: copies network ACL rules.
DeleteNetworkAcl: deletes a network ACL.
Use Alibaba Cloud SDK: You can configure a network ACL by using Alibaba Cloud SDK. Alibaba Cloud SDK supports multiple programming languages such as Java, Python, and PHP.
Run CLI commands: You can run CLI commands to configure a network ACL. For more information about Alibaba Cloud CLI, see What is Alibaba Cloud CLI?.
Work with network ACLs
You can add inbound and outbound rules to a network ACL. Then, you can associate the network ACL with vSwitches to control inbound and outbound traffic. For more information, see Overview of network ACLs and Common scenarios.
Use scenarios of network ACLs
You can use network ACLs to control traffic of ECS instances in different vSwitches and regulate the communication between data centers and cloud resources. For more information, see Manage intercommunication among ECS instances connected to different vSwitches and Manage communication between a data center and a VPC.
Work with security groups
A security group acts as a virtual firewall to control the inbound and outbound traffic of ECS instances to improve security. Security groups provide Stateful Packet Inspection (SPI) and packet filtering capabilities. You can use security groups and security group rules to define security domains in the cloud.
Security groups and security group rules
Security groups are classified into basic security groups and advanced security groups. Advanced security groups are suitable for enterprise-grade scenarios and can contain more instances, elastic network interfaces (ENIs), and private IP addresses and implement more rigorous levels of access control than basic security groups.
An instance must be added to at least one security group and can be added to multiple security groups. The secondary ENIs that are associated with an instance can be added to security groups different from those of the instance. An instance cannot belong to a basic security group and an advanced security group at the same time.
Security groups can control inbound and outbound traffic even before you add rules to the security groups. You can add rules to a security group or modify the rules of a security group to control inbound and outbound traffic in a more fine-grained manner. After rules are added to a security group or after rules in the security group are modified, the rules are automatically applied to instances within the security group. Security group rules can be used to control access to or from specific IP addresses, CIDR blocks, security groups, or prefix lists. For more information, see Add security group rules.
When you create security groups in the ECS console, default rules are automatically added to the security groups. You can maintain these rules based on your needs.
Work with security groups
You can perform the following operations to use security groups to control traffic for instances:
Create security groups.
Add rules to the security groups.
Add instances to the security groups.
Manage existing security groups and security group rules based on your needs.
You can perform the following operations to use security groups to control traffic for secondary ENIs:
Create security groups.
Add rules to the security groups.
Add secondary ENIs to the security groups.
Associate the secondary ENIs with instances.
Manage existing security groups and security group rules based on your needs.
For more information, see Create a security group and Security groups for different use cases.
Use cases of security groups
When you create an ECS instance in a VPC, you can add the ECS instance to the default security group or an existing security group in the VPC. For more information, see Configure security groups in different scenarios.