Alibaba Cloud VPC provides two mechanisms for controlling network traffic: security groups and network ACLs. Security groups operate at the instance level and handle most access control needs. Network ACLs provide vSwitch-level control, useful for enforcing broad traffic policies across multiple vSwitches.
-
Security group: A security group acts as a virtual firewall for Elastic Compute Service (ECS) instances within a VPC. Attach a security group to one or more ECS instances to control their inbound and outbound traffic. Group instances with the same security requirements into a security group to create security domains.
-
Network ACL: A network ACL controls the inbound and outbound traffic of vSwitches. Attach a network ACL to one or more vSwitches to enforce access policies centrally across all instances in those vSwitches.
Comparison
| Item | Security groups | Network ACLs |
|---|---|---|
| Illustration |  |
|
| Applicable scope | Instance level. Attach to one or more ECS instances. | vSwitch level. Attach to one or more vSwitches. |
| Working mode | Stateful. Return traffic is automatically allowed. For example, if you add an inbound rule for port 80 request traffic, the corresponding response traffic is automatically allowed — no outbound rule required. |
Stateless. Return traffic must be explicitly allowed. For example, to allow inbound traffic on port 80, add an inbound rule for the request and a separate outbound rule for the response. |
| Intra-group control | Basic security group: choose to allow or deny traffic between instances. Advanced security group: internal isolation is enabled by default. | Does not control traffic between ECS instances in the same vSwitch. |
| Use cases | Control access between instances. Allow public inbound traffic on a specific port. | Enforce subnet-level isolation. Apply consistent access policies across multiple vSwitches. |