To ensure the data security of your resources, you can use access control policies to control access to your virtual private cloud (VPC). This ensures that only authorized users can access your resources.
Overview
VPC supports the following access control features:
Network ACL: A network access control list (ACL) is a feature that lets you control network access within a VPC. You can create a network ACL, add inbound and outbound rules, and then associate the network ACL with a vSwitch to control traffic for the Elastic Compute Service (ECS) instances in the vSwitch. For more information, see Network ACLs.
Security group: A security group is a virtual firewall that controls inbound and outbound traffic for ECS instances within the group. This helps improve the security of the instances. For more information, see Security groups.
Use the network ACL feature
A network ACL is a feature that lets you control network access within a VPC. You can create a network ACL in a VPC and add inbound and outbound rules. After you create the network ACL, you can associate it with a vSwitch to control traffic for the ECS instances in the vSwitch.
Configure a network ACL
You can configure a network ACL in the following ways:
Log on to the VPC console: For information about how to configure a network ACL in the VPC console, see Create and manage network ACLs.
Call API operations: You can call the following API operations to configure a network ACL.
CreateNetworkAcl: Creates a network ACL.
AssociateNetworkAcl: Associates a network ACL with a vSwitch.
ModifyNetworkAclAttributes: Modifies the properties of a network ACL.
DescribeNetworkAcls: Queries a list of network ACLs.
Update network ACL rules: Updates network ACL rules.
DescribeNetworkAclAttributes: Queries the details of a network ACL.
UnassociateNetworkAcl: Disassociates a network ACL from a vSwitch.
CopyNetworkAclEntries: Copies network ACL rules.
DeleteNetworkAcl: Deletes a network ACL.
Use Alibaba Cloud SDKs to configure an ACL: You can use Alibaba Cloud software development kits (SDKs) to configure network ACL rules. Alibaba Cloud provides SDKs for multiple programming languages, such as Java, Python, and PHP.
Use the CLI to configure an ACL: You can use the command-line interface (CLI) to configure a network ACL. For more information about the CLI, see What is Alibaba Cloud CLI?.
Network ACL applications
You can use the features and rule descriptions of network ACLs to customize inbound and outbound rules. After you set inbound and outbound rules for a network ACL, you can gain more flexible control over the inbound and outbound traffic of cloud resources in a VPC. For more information, see Network ACLs and Best practices.
Network ACL examples
You can use network ACLs to restrict communication between ECS instances in different vSwitches or between a data center and the cloud. For more information, see Restrict communication between ECS instances in different vSwitches and Restrict communication between a data center and the cloud.
Use the security group feature
A security group is a virtual firewall that controls inbound and outbound traffic for ECS instances within the group to improve security. Security groups provide stateful inspection and packet filtering. You can use the features of security groups and configure security group rules to create security domains in the cloud.
Security groups and security group rules
Security groups are classified into basic security groups and advanced security groups. Advanced security groups are designed for enterprise scenarios. They can contain more instances, elastic network interfaces (ENIs), and private IP addresses, and support stricter access policies.
The following rules apply when you add an instance to a security group: An instance must belong to at least one security group and can belong to multiple security groups. For the ENIs attached to an instance, a secondary ENI can be added to a different security group than the instance. An instance cannot belong to a basic security group and an advanced security group at the same time.
A security group controls inbound and outbound traffic even before you add any rules. You can add or modify security group rules to gain more fine-grained control over traffic. After you add or modify security group rules, the rules are automatically applied to all instances in the security group. Security group rules support authorization by IP address, Classless Inter-Domain Routing (CIDR) block, another security group, or a prefix list. For more information, see Add a security group rule.
When you create a security group in the console, the system automatically adds default rules. You can maintain these rules as needed.
Security group usage guide
The typical workflow for using a security group to control instance traffic is as follows:
Create a security group.
Add security group rules.
Add an instance to the security group.
Manage existing security groups and security group rules as needed.
The typical workflow for using a security group to control secondary ENI traffic is as follows:
Create a security group.
Add security group rules.
Add a secondary ENI to the security group.
Attach the secondary ENI to an instance.
Manage existing security groups and security group rules as needed.
For specific operations and application examples for security groups, see Create a security group and Security group application guide and examples.
Security group configuration examples
When you create an ECS instance in a VPC, you can use the default security group rules provided by the system or select another existing security group in the VPC. For security group configuration examples, see ECS security group configuration examples.