:original_name: en-us_topic_0052003963.html
.. _en-us_topic_0052003963:
Differences Between Security Groups and Firewalls
=================================================
You can configure security groups and firewall to increase the security of ECSs in your VPC.
- Security groups operate at the ECS level.
- firewalls protect associated subnets and all the resources in the subnets.
For details, see :ref:`Figure 1 `.
.. _en-us_topic_0052003963__fig9582182315479:
.. figure:: /_static/images/en-us_image_0148244691.png
:alt: **Figure 1** Security groups and firewalls
**Figure 1** Security groups and firewalls
:ref:`Table 1 ` describes the differences between security groups and firewalls.
.. _en-us_topic_0052003963__table53053071174845:
.. table:: **Table 1** Differences between security groups and firewalls
+----------+------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Category | Security Group | Firewall |
+==========+================================================================================================================================================+=============================================================================================================================================================================================================================================================================================================================+
| Targets | Operates at the ECS level. | Operates at the subnet level. |
+----------+------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Rules | Does not support **Allow** or **Deny** rules. | Supports both **Allow** and **Deny** rules. |
+----------+------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Priority | If there are conflicting rules, they are combined and applied together. | If rules conflict, the rule with the highest priority takes effect. |
+----------+------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Usage | Automatically applies to ECSs in the security group that is selected during ECS creation. You must select a security group when creating ECSs. | Applies to all ECSs in the subnets associated with the firewall. Selecting a firewall is not allowed during subnet creation. You must create a firewall, associate subnets with it, add inbound and outbound rules, and enable firewall. The firewall then takes effect for the associated subnets and ECSs in the subnets. |
+----------+------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Packets | Only packet filtering based on the 3-tuple (protocol, port, and peer IP address) is supported. | Only packet filtering based on the 5-tuple (protocol, source port, destination port, source IP address, and destination IP address) is supported. |
+----------+------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+